Threat Watch

Vulnerability in uClibc Library May Lead to DNS Poisoning Attacks Against IoT Devices

Security researchers at Nozomi Networks recently issued an advisory warning of the possibility of DNS poisoning attacks in devices using the uClibc and uClibc-ng C standard libraries. The vulnerability remains unpatched, and the exact names of affected devices were therefore not yet disclosed. However, uClibc is a library utilized in OpenWRT, a widespread operating system for routers, and several major vendors such as Linksys, Netgear, Axis, as well as Embedded Gentoo, have been known to deploy systems utilizing uClibc. The vulnerability is created by predictable DNS transaction IDs; attackers who are able to win a race condition and either predict or brute force the relevant ports in DNS requests would be able to spoof DNS request returns and potentially poison the DNS cache of routers, leading to the possibility of further Man in the Middle (MITM) and phishing attacks. There are currently no known reports of this attack in the wild.

ANALYST NOTES

The maintainer of the library has asked for the community’s help in creating a patch. Therefore, no known patch exists at this time. The vulnerability has been disclosed to major affected vendors within the last 30 days, however, no relevant security advisories have been issued at this time. Binary Defense recommends organizations employ or continue to employ network traffic analysis as one element of a defense in depth strategy. Due to the pervasiveness of unpatched vulnerabilities in the modern threat environment, MDR and Threat Hunting services, such as those offered by Binary Defense, are highly recommended as post-exploitation components of a layered defense.

A DNS flaw impacts a library used by millions of IoT devices