An unpatched vulnerability in a popular C standard library found in a wide range of IoT products and routers could put millions of devices at risk of attack.
The vulnerability, identified as CVE-2022-05-02 and discovered by Nozomi Networks, is present in the Domain Name System (DNS) component of the uClibc library and its fork uClibc-ng from the OpenWRT team. uClibc and uClibc-ng are widely used by Netgear, Axis, Linksys and other major vendors as well as in Linux distributions designed for embedded applications.
uClibc’s DNS implementation provides a mechanism for performing DNS-related queries, including lookups and translation of domain names to IP addresses.
At this time, a fix is currently not available from the developer of uClibc, which means that devices from over 200 vendors are currently at risk of DNS poisoning or DNS spoofing that can redirect a victim potential to a malicious website hosted on a server controlled by an attacker.
Risk of DNS poisoning
Nozomi security researchers first discovered the vulnerability in uClibc after examining traces of DNS queries made by a connected device, at which time they found several quirks caused by the library’s internal search function. Upon further investigation, the IoT security firm found that the transaction IDs of these DNS lookup requests were predictable and therefore DNS poisoning could be possible under certain circumstances.
Nozomi Networks provided additional insight in a blog post about what an attacker could accomplish by performing DNS poisoning on vulnerable IoT devices and routers, saying:
“A DNS poisoning attack enables subsequent Man-in-the-Middle attacks because the attacker, by poisoning DNS records, is able to redirect network communications to a server under their control. The attacker could then stealing and/or manipulating information submitted by users, and performing other attacks against these devices to completely compromise them.The main issue here is how DNS poisoning attacks can force an authenticated response.
After discovering this flaw in uClibc in September last year, Nozomi immediately informed CISA about it, then reported his findings to the CERT Coordination Center in December. However, it wasn’t until January this year that the company disclosed the vulnerability to vendors whose devices might be affected by the flaw.
Although no fix is currently available, affected vendors and other stakeholders are working together to develop a fix. However, once a patch is ready, end users will need to apply it to their devices themselves via firmware updates, but this could delay the time it takes for the vulnerability to be permanently fixed.