Researchers on Monday reported they discovered a vulnerability affecting the DNS implementation of all versions of uClibc and uClibc-ng, a popular C standard library in many well-known IoT products.
In a blog post, Nozomi Networks Labs said the flaw was caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may let attackers perform DNS poisoning attacks against the targeted devices.
The researchers reported that major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions such as Embedded Gentoo use uClibc. The researchers explained that uClibc-ng was specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors.
Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. That’s why Nozomi Networks didn’t disclose the details on the devices in which they were able to expose this vulnerability.
"Threat actors are increasingly focused on delivering vulnerabilities through open source software libraries and exploiting them through IoT devices,” said Bud Broomhead, CEO at Viakoo.
Broomhead said this gives many advantages to cyber criminals: they can make many devices vulnerable through the use of commonly used software libraries, and because IoT devices often lack IT-class security solutions, threat actors can breach these devices without detection in many cases.
“There not being a patch available yet is an issue, but the much bigger challenge is when that patch becomes available, how quickly can it be deployed on a wide range of IoT devices,” Broomhead asked. “Because there are potentially hundreds of devices makes and models impacted, and those devices are often managed and run outside of IT (often IoT is managed by manufacturing, facilities, or physical security teams or similar), the window of vulnerability will be very long regardless of when a patch is available. Having an accurate device inventory through use of a discovery solution and an automated IoT vulnerability remediation solution will be needed to shrink the time of this vulnerability being exploitable.”
