K
Kathleen Martin
Guest
Researchers on Monday reported they discovered a vulnerability affecting the DNS implementation of all versions of uClibc and uClibc-ng, a popular C standard library in many well-known IoT products.
In a blog post, Nozomi Networks Labs said the flaw was caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may let attackers perform DNS poisoning attacks against the targeted devices.
The researchers reported that major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions such as Embedded Gentoo use uClibc. The researchers explained that uClibc-ng was specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors.
Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. That’s why Nozomi Networks didn’t disclose the details on the devices in which they were able to expose this vulnerability.
"Threat actors are increasingly focused on delivering vulnerabilities through open source software libraries and exploiting them through IoT devices,” said Bud Broomhead, CEO at Viakoo.
Broomhead said this gives many advantages to cyber criminals: they can make many devices vulnerable through the use of commonly used software libraries, and because IoT devices often lack IT-class security solutions, threat actors can breach these devices without detection in many cases.
Continue reading: https://www.scmagazine.com/news/application-security/dns-bug-found-in-c-standard-library-used-in-popular-iot-products%EF%BF%BC
In a blog post, Nozomi Networks Labs said the flaw was caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may let attackers perform DNS poisoning attacks against the targeted devices.
The researchers reported that major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions such as Embedded Gentoo use uClibc. The researchers explained that uClibc-ng was specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors.
Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. That’s why Nozomi Networks didn’t disclose the details on the devices in which they were able to expose this vulnerability.
"Threat actors are increasingly focused on delivering vulnerabilities through open source software libraries and exploiting them through IoT devices,” said Bud Broomhead, CEO at Viakoo.
Broomhead said this gives many advantages to cyber criminals: they can make many devices vulnerable through the use of commonly used software libraries, and because IoT devices often lack IT-class security solutions, threat actors can breach these devices without detection in many cases.
Continue reading: https://www.scmagazine.com/news/application-security/dns-bug-found-in-c-standard-library-used-in-popular-iot-products%EF%BF%BC