Unpatched DNS-Poisoning Bug Affects Millions of Devices, Stumps Researchers

The security vulnerability puts wide swaths of industrial networks and IoT devices at risk of compromise, researchers warn.

Dark Reading Staff, Dark Reading

May 3, 2022

2 Min Read
concept art of fixing a computer featuring wrench on keyboard
Image Credit: Alexander Yakimov via Alamy

After months of work by industrial control systems (ICS) cybersecurity teams, a fix for a widespread Domain Name System (DNS) poisoning bug still hasn't been found. Now they're asking for help from the wider cybersecurity community.

A blog post from a team of ICS analysts at Nozomi Networks explained the flaw exists in all versions of the widely used C standard library for Internet of Things (IoT) gear called uClibc, as well as uClibc-ng, which is a special version for OpenWRT, a "common OS for routers deployed throughout various critical infrastructure sectors."

As such, the bug exists in big name-brand products from Linksys, Netgear, and Axis, and in Linux distributions such as Embedded Gentoo. Since January, the vulnerability has been disclosed to 200+ vendors, and it likely affects millions of installed devices.

Additional specifics on the devices affected aren't being provided publicly because the DNS bug is still unpatched, but Nozomi provided details on the bug and its exploitability after the library's maintainer was unable to develop a fix — in hopes of soliciting help from the community.

The impact of an exploit could be significant: "Because of its relevance, DNS can be a valuable target for attackers," the research team explained in the post. "In a DNS poisoning attack, an attacker is able to deceive a DNS client into accepting a forged response, thus inducing a certain program into performing network communications with an arbitrarily defined endpoint, and not the legitimate one." 

Once successful, the attacker could alter or intercept network traffic to compromise connected devices, the team said.  

"A DNS poisoning attack enables subsequent Man-in-the-Middle attacks because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control." the Nozomi team warned. "The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them." 

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights