Unpatched DNS bug affects millions of IoT devices

A vulnerability in the domain name system (DNS) component of a popular C standard library, a standard library for the C programming language, which is present in a wide range of Internet of Things (IoT) devices may put millions of devices at DNS poisoning attack risk. 

DNS poisoning is tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it. By doing that, the attacker would be able to reroute the traffic to a server under their direct control.

A blog post from a team of security analysts at Nozomi Networks explained the flaw exists in all versions of the widely used C standard library for IoT gear called uClibc, as well as uClibc-ng, which is a special version for OpenWRT, a “common OS for routers deployed throughout various critical infrastructure sectors.”

The bug exists in big name-brand products such as Linksys, Netgear, Axis, and in Linux distributions like Embedded Gentoo. Since January, the vulnerability has been disclosed to over 200 vendors, and it likely affects millions of installed devices.

The Nozomi researchers haven’t provided other specifics on the devices publicly, as the DNS bug is still unpatched. But they provided details on the bug and its exploitability after the library's maintainer was unable to develop a fix. Now it is soliciting help from the community.

The impact of an exploit could be significant, “because of its relevance, DNS can be a valuable target for attackers,” the research team explained in the post.

“A DNS poisoning attack is able to deceive a DNS client into accepting a forged response. By poisoning DNS records, the attacker is capable of rerouting network communications to a server under their control,” the Nozomi team warned. “The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them.”

The flaw was discovered in September 2021 and CISA was notified about it. They reported to the CERT Coordination Center in December and in January 2022, it disclosed the vulnerability to over 200 potentially impacted vendors.

Currently, all stakeholders are coordinating to develop a patch. First all the affected vendors will have to apply the patch by implementing the new uClibc version on firmware updates. This will take a while for the fixes to reach end consumers.

Users of IoT devices must check for new firmware releases from vendors and apply the latest updates as soon as they are available, said the researchers.