Equipment from Netgear, Linksys and 200 others has unpatched DNS poisoning flaw


Getty Images

Hardware and software makers are scrambling to determine if their products suffer from a recently discovered critical vulnerability in third-party code libraries used by hundreds of vendors, including Netgear, Linksys, Axis, and embedded Linux distribution Gentoo.

The flaw allows hackers with access to the connection between an affected device and the internet to poison DNS queries used to translate domains to IP addresses, according to researchers at security firm Nozomi Networks. said monday. By repeatedly feeding a vulnerable device with fraudulent IP addresses, hackers can force end users to connect to malicious servers that impersonate Google or another trusted site.

The vulnerability, which was disclosed to vendors in January and made public on Monday, resides in uClibc and uClibc fork uClibc-ng, both of which provide alternatives to the standard C library for embedded Linux. Nozomi said 200 vendors embed at least one of the libraries into merchandise that, according to uClibc-ng maintainerinclude the following:

The vulnerability and lack of a fix underscores a problem with third-party code libraries that has worsened over the past decade. Many of them, even those like the OpenSSL cryptography library that are widely used to provide crucial security features, face funding issues that make it difficult to find and fix security vulnerabilities.

“Unfortunately I was unable to resolve the issue on my own and I hope someone from the rather small community will step in,” the uClibc-ng maintainer wrote in a post. open forum discuss vulnerability. uClibc, meanwhile, hasn’t been updated since 2010, according to the downloads page for the library.

What is DNS poisoning, anyway?

DNS poisoning and its parent DNS cache poisoning allow hackers to replace the legitimate DNS lookup of a site such as or (normally and respectively) with IP addresses malware that may impersonate these sites. when they attempt to install malware, phish passwords or perform other nefarious actions.

First discovered in 2008 by researcher Dan Kaminsky, DNS poisoning requires a hacker to first impersonate an authoritative DNS server and then use it to flood a DNS resolver inside an ISP or network. device with fake search results for a trusted domain. When the fraudulent IP address arrives before the legitimate one, end users automatically connect to the impostor site. The hack worked because the unique transaction assigned to each search was predictable enough that attackers could include it in fake responses.

Internet architects solved the problem by changing the source port number used whenever an end user looks up a domain’s IP number. Whereas previously searches and responses only passed through port 53, the new system randomized the port number used by search requests. For a DNS resolver to accept a returned IP address, the response must include that same port number. Combined with a unique transaction number, entropy has been measured in billions, making it mathematically impossible for attackers to land on the right combination.

The vulnerability in uClibc and uClibc-ng stems from the predictability of the transaction number libraries assign to a search and their static use of source port 53. Nozomi researchers Giannis Tsaraias and Andrea Palanca wrote:

Since the transaction ID is now predictable, to exploit the vulnerability, an attacker would need to craft a DNS response containing the correct source port, as well as win the race against the legitimate DNS response from the DNS server. The exploitability of the problem depends exactly on these factors. Since the feature does not enforce any explicit source port randomization, it is likely that the problem can be easily exploited reliably if the operating system is configured to use a fixed or predictable source port.

Nozomi said it does not list specific vendors, device models or software versions that are affected to prevent hackers from exploiting the vulnerability in the wild. “We can, however, reveal that it was a range of well-known IoT devices running the latest firmware versions with a high chance of being deployed in all critical infrastructures,” the researchers wrote.

On Monday, Netgear released an opinion saying the company is aware of the vulnerabilities in the library and is evaluating if any of its products are affected.

“All Netgear products use source port randomization and we are currently not aware of any specific exploit that could be used against the affected products,” the device manufacturer said. Representatives from Linksys and Axis did not immediately respond to emails asking if their devices were vulnerable.

Without more details, it is difficult to provide security advice to avoid this threat. People using a potentially affected device should monitor the vendor’s advisories for updates over the next week or two.


Comments are closed.