A zero-day flaw in the popular C standard libraries uClibc and uClibc-ng might allow a malicious actor to perform DNS poisoning attacks on affected IoT devices. Researchers have warned that the issue, known as ICS-VU-638779, which has yet to be fixed, might leave users vulnerable to attack.
In DNS poisoning attacks, the target domain name is resolved to the IP address of a server controlled by the attacker. This implies that if a malicious actor sends a forgotten password’ request, they may redirect it to their own email address and intercept it, changing the victim’s password and gaining access to their account.
This exploit might be used to intercept a firmware update request and redirect it to a malware download on an IoT device. Researchers at Nozomi Networks found the DNS poisoning vulnerability, which they claimed is still unpatched, possibly exposing many users to attack.
According to Nozomi Networks, uClibc is employed by major suppliers like Linksys, Netgear, and Axis, as well as Linux versions like Embedded Gentoo. uClibc-ng is a clone of uClibc made exclusively for OpenWRT, a popular web router operating system. It also disclosed that the library’s maintainer could not propose a solution. Until a fix is ready, the researchers stated they wouldn’t share technical specifics or name affected devices.
“It’s important to note that a vulnerability affecting a C standard library can be a bit complex,” the team stated in a blog post. “Not only would there be hundreds or thousands of calls to the vulnerable function in multiple points of a single program, but the vulnerability would affect an indefinite number of other programs from multiple vendors configured to use that library.”