Cybersecurity researchers have uncovered an unpatched flaw that could be a potential threat to IoT products.
The flaw, originally reported in September 2021, plagues the Domain Name System (DNS) implementation of two well-known C libraries called uClibc and uClibc-ng that forms part of embedded Linux systems.
Major vendors use uClibc. Vendors—Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo— use uClibc, potentially putting millions of IoT devices at a security risk.
“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.
DNS poisoning, also called DNS spoofing, entails corrupting a DNS resolver cache—which assigns clients an IP address associated with a domain name—for redirecting users to malicious websites.
If an attacker successfully exploits the vulnerabilities, the attacker can execute Man-in-the-Middle (MitM) attacks and corrupt the DNS cache leading to the rerouting of the internet traffic to their server.
Nozomi Networks warned that the vulnerability could be insidiously exploited if the operating system is configured to use a fixed or predictable source port.
“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” the researchers said.