Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

Routers and connected devices including network cameras from companies including Netgear, Linksys, and Axis as well as the ones using Linux distributions such as Embedded Gentoo are found to be affected by a domain name system (DNS) poisoning flaw that exists in two popular libraries used for connected devices. Exact models impacted by the vulnerability are not revealed by the researchers who have discovered its existence since the loophole is yet to be patched. However, the vulnerable libraries have been used by a large number of vendors, including some of the renowned router and Internet of Things (IoT) device makers.

The researchers at IT security firm Nozomi Networks said that the DNS implementation of all versions of libraries uClibc and uClibc-ng carried the DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal the information shared through the affected devices. The issue was first discovered last year and was disclosed to over 200 vendors in January.

While uClibc has been used by vendors including Netgear, Linksys, and Axis and is a part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork that is design for OpenWRT — the popular open-source operating system for routers. This shows the extensive scope of the flaw that could impact a large number of users around the world.

The vulnerability in both libraries enables attackers to predict a parameter called transaction ID that is normally a unique number per request generated by the client to protect communication through DNS.

In a normal situation, if the transaction ID is not available or is different from what has been generated at the client side, the system discards the response. However, since the vulnerability brings predictability of the transaction ID, an attacker can predict the number to eventually spoof the legitimate DNS and redirect requests towards a fake Web server or a phishing website.

The researchers also noted that DNS poisoning attacks also enable attackers to initiate subsequent Man-in-the-Middle attacks that could help them steal or manipulate information transmitted by users or even compromise the devices carrying the vulnerable libraries.

“Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure,” said Andrea Palanca, a security researcher at Nozomi Networks.

The maintainer of uClibc-ng wrote in an open forum that they were not able to fix the issue at their end. Similarly, uClibc has not received an update since 2010, as per the details available on the downloads page of the library, as noticed by Ars Technica.

However, device vendors are currently working on evaluating the issue and its impact.

Netgear issued a statement to acknowledge the impact of the vulnerability on its devices.

“Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting some products. Netgear is assessing which products are affected. All Netgear products use source port randomisation and we are not currently aware of any specific exploit that could be used against the affected products,” the company said.

It also assured that it would continue to investigate the issue, and, if a fix would become available in the future, would evaluate whether the fix is applicable for the affected Netgear products.

Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the flaw and will update this article when they respond.


Routers and connected devices including network cameras from companies including Netgear, Linksys, and Axis as well as the ones using Linux distributions such as Embedded Gentoo are found to be affected by a domain name system (DNS) poisoning flaw that exists in two popular libraries used for connected devices. Exact models impacted by the vulnerability are not revealed by the researchers who have discovered its existence since the loophole is yet to be patched. However, the vulnerable libraries have been used by a large number of vendors, including some of the renowned router and Internet of Things (IoT) device makers.

The researchers at IT security firm Nozomi Networks said that the DNS implementation of all versions of libraries uClibc and uClibc-ng carried the DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal the information shared through the affected devices. The issue was first discovered last year and was disclosed to over 200 vendors in January.

While uClibc has been used by vendors including Netgear, Linksys, and Axis and is a part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork that is design for OpenWRT — the popular open-source operating system for routers. This shows the extensive scope of the flaw that could impact a large number of users around the world.

The vulnerability in both libraries enables attackers to predict a parameter called transaction ID that is normally a unique number per request generated by the client to protect communication through DNS.

In a normal situation, if the transaction ID is not available or is different from what has been generated at the client side, the system discards the response. However, since the vulnerability brings predictability of the transaction ID, an attacker can predict the number to eventually spoof the legitimate DNS and redirect requests towards a fake Web server or a phishing website.

The researchers also noted that DNS poisoning attacks also enable attackers to initiate subsequent Man-in-the-Middle attacks that could help them steal or manipulate information transmitted by users or even compromise the devices carrying the vulnerable libraries.

“Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure,” said Andrea Palanca, a security researcher at Nozomi Networks.

The maintainer of uClibc-ng wrote in an open forum that they were not able to fix the issue at their end. Similarly, uClibc has not received an update since 2010, as per the details available on the downloads page of the library, as noticed by Ars Technica.

However, device vendors are currently working on evaluating the issue and its impact.

Netgear issued a statement to acknowledge the impact of the vulnerability on its devices.

“Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting some products. Netgear is assessing which products are affected. All Netgear products use source port randomisation and we are not currently aware of any specific exploit that could be used against the affected products,” the company said.

It also assured that it would continue to investigate the issue, and, if a fix would become available in the future, would evaluate whether the fix is applicable for the affected Netgear products.

Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the flaw and will update this article when they respond.


More from author

Related posts

Advertismentspot_img

Latest posts

Mi Band 7 Launch Set for May 24, Xiaomi Teases Larger Display With Increased Viewing Area

Mi Band 7 has been confirmed by Xiaomi. The fitness band will launch at the same time as the Redmi Note 11T series...

Amazfit GTR 2 New Version With 11 Days of Battery Life Launched: Details

Amazfit GTR 2 New Version smartwatch with battery life of up to 11 hours with typical usage launched. The smartwatch has been launched at...

Sony Bravia X80K Smart TV Series With Dolby Atmos, Dolby Audio Support Launched in India

Sony Bravia X80K smart TV series has been launched in India on Friday. The company's latest 4K smart TV lineup is available in five...
[tdn_block_newsletter_subscribe title_text="Want to stay up to date with the latest news? " description="V2UlMjB3b3VsZCUyMGxvdmUlMjB0byUyMGhlYXIlMjBmcm9tJTIweW91ISUyMFBsZWFzZSUyMGZpbGwlMjBpbiUyMHlvdXIlMjBkZXRhaWxzJTIwYW5kJTIwd2UlMjB3aWxsJTIwc3RheSUyMGluJTIwdG91Y2guJTIwSXQncyUyMHRoYXQlMjBzaW1wbGUh" input_placeholder="Email address" btn_text="Subscribe" tds_newsletter2-image="8" tds_newsletter2-image_bg_color="#c3ecff" tds_newsletter3-input_bar_display="row" tds_newsletter4-image="9" tds_newsletter4-image_bg_color="#fffbcf" tds_newsletter4-btn_bg_color="#f3b700" tds_newsletter4-check_accent="#f3b700" tds_newsletter5-tdicon="tdc-font-fa tdc-font-fa-envelope-o" tds_newsletter5-btn_bg_color="#000000" tds_newsletter5-btn_bg_color_hover="#4db2ec" tds_newsletter5-check_accent="#000000" tds_newsletter6-input_bar_display="row" tds_newsletter6-btn_bg_color="#da1414" tds_newsletter6-check_accent="#da1414" tds_newsletter7-image="10" tds_newsletter7-btn_bg_color="#1c69ad" tds_newsletter7-check_accent="#1c69ad" tds_newsletter7-f_title_font_size="20" tds_newsletter7-f_title_font_line_height="28px" tds_newsletter8-input_bar_display="row" tds_newsletter8-btn_bg_color="#00649e" tds_newsletter8-btn_bg_color_hover="#21709e" tds_newsletter8-check_accent="#00649e" embedded_form_code="JTNDIS0tJTIwQmVnaW4lMjBNYWlsQ2hpbXAlMjBTaWdudXAlMjBGb3JtJTIwLS0lM0UlMEElMEElM0Nmb3JtJTIwYWN0aW9uJTNEJTIyaHR0cHMlM0ElMkYlMkZ0YWdkaXYudXMxNi5saXN0LW1hbmFnZS5jb20lMkZzdWJzY3JpYmUlMkZwb3N0JTNGdSUzRDZlYmQzMWU5NGNjYzVhZGRkYmZhZGFhNTUlMjZhbXAlM0JpZCUzRGVkODQwMzZmNGMlMjIlMjBtZXRob2QlM0QlMjJwb3N0JTIyJTIwaWQlM0QlMjJtYy1lbWJlZGRlZC1zdWJzY3JpYmUtZm9ybSUyMiUyMG5hbWUlM0QlMjJtYy1lbWJlZGRlZC1zdWJzY3JpYmUtZm9ybSUyMiUyMGNsYXNzJTNEJTIydmFsaWRhdGUlMjIlMjB0YXJnZXQlM0QlMjJfYmxhbmslMjIlMjBub3ZhbGlkYXRlJTNFJTNDJTJGZm9ybSUzRSUwQSUwQSUzQyEtLUVuZCUyMG1jX2VtYmVkX3NpZ251cC0tJTNF" tds_newsletter="tds_newsletter1" tds_newsletter1-input_bar_display="" tds_newsletter1-input_border_size="0" tds_newsletter1-title_color="#172842" tds_newsletter1-description_color="#90a0af" tds_newsletter1-disclaimer_color="#90a0af" tds_newsletter1-disclaimer2_color="#90a0af" tds_newsletter1-input_text_color="#90a0af" tds_newsletter1-input_placeholder_color="#bcccd6" tds_newsletter1-input_bg_color="#ffffff" tds_newsletter1-input_border_color="rgba(255,255,255,0)" tds_newsletter1-input_border_color_active="rgba(255,255,255,0)" tds_newsletter1-f_title_font_family="394" tds_newsletter1-f_title_font_size="eyJhbGwiOiI0MiIsImxhbmRzY2FwZSI6IjM2IiwicG9ydHJhaXQiOiIzMCIsInBob25lIjoiMzAifQ==" tds_newsletter1-f_title_font_line_height="1.2" tds_newsletter1-f_title_font_spacing="-1" tds_newsletter1-f_descr_font_family="638" tds_newsletter1-f_descr_font_size="eyJhbGwiOiIxOCIsImxhbmRzY2FwZSI6IjE1IiwicG9ydHJhaXQiOiIxNCIsInBob25lIjoiMTQifQ==" tds_newsletter1-f_descr_font_line_height="1.6" tds_newsletter1-f_descr_font_weight="700" content_align_horizontal="content-horiz-center" tdc_css="eyJhbGwiOnsibWFyZ2luLXJpZ2h0IjoiYXV0byIsIm1hcmdpbi1ib3R0b20iOiIxMDAiLCJtYXJnaW4tbGVmdCI6ImF1dG8iLCJwYWRkaW5nLXRvcCI6IjkwIiwid2lkdGgiOiI0MCUiLCJkaXNwbGF5IjoiIn0sInBvcnRyYWl0Ijp7Im1hcmdpbi1ib3R0b20iOiI3MCIsInBhZGRpbmctdG9wIjoiNjAiLCJ3aWR0aCI6IjcwJSIsImRpc3BsYXkiOiIifSwicG9ydHJhaXRfbWF4X3dpZHRoIjoxMDE4LCJwb3J0cmFpdF9taW5fd2lkdGgiOjc2OCwicGhvbmUiOnsibWFyZ2luLWJvdHRvbSI6IjcwIiwicGFkZGluZy10b3AiOiI2MCIsIndpZHRoIjoiMTAwJSIsImRpc3BsYXkiOiIifSwicGhvbmVfbWF4X3dpZHRoIjo3NjcsImxhbmRzY2FwZSI6eyJtYXJnaW4tYm90dG9tIjoiOTAiLCJwYWRkaW5nLXRvcCI6IjgwIiwid2lkdGgiOiI2NSUiLCJkaXNwbGF5IjoiIn0sImxhbmRzY2FwZV9tYXhfd2lkdGgiOjExNDAsImxhbmRzY2FwZV9taW5fd2lkdGgiOjEwMTl9" tds_newsletter1-f_disclaimer_font_family="394" tds_newsletter1-f_disclaimer2_font_family="394" tds_newsletter1-f_input_font_family="394" tds_newsletter1-f_input_font_line_height="3" tds_newsletter1-f_input_font_size="eyJhbGwiOiIxNiIsInBvcnRyYWl0IjoiMTQiLCJwaG9uZSI6IjE0In0=" tds_newsletter1-f_btn_font_family="394" tds_newsletter1-f_btn_font_transform="uppercase" tds_newsletter1-f_btn_font_weight="700" tds_newsletter1-btn_bg_color="#e2687e" tds_newsletter1-btn_bg_color_hover="#172842" tds_newsletter1-f_input_font_weight="" tds_newsletter1-f_title_font_weight="800"]