Cybersecurity researchers have revealed an unpatched security vulnerability that could pose a serious risk to IoT products.
The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng which are used to develop embedded Linux systems.
uClibc is known to be used by major vendors like Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats.
“The flaw is caused by the predictability of transaction identifiers included in DNS queries generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Giannis Tsaraias and Andrea said. Palanca from Nozomi Networks. mentioned in a Monday article.
DNS poisoning, also known as DNS spoofing, is the technique of corrupting a DNS resolver cache – which provides clients with the IP address associated with a domain name – with the aim of redirecting users to malicious websites .
Successful exploitation of the bug could allow an adversary to perform Man-in-the-Middle (MitM) attacks and corrupts the DNS cache, effectively redirecting internet traffic to a server under their control.
Nozomi Networks warned that the vulnerability could be trivially reliably exploited if the operating system was configured to use a fixed or predictable source port.
“The attacker could then steal and/or manipulate the information submitted by users, and perform other attacks against these devices to completely compromise them,” the researchers said.