A problem in all versions of the popular C standard libraries uClibe & uClibe-ng can allow for DNS ‘poisoning attacks’ against target devices.
An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS ‘poisoning attacks’ against millions of IoT devices & routers to potentially take control of them, researchers have found.
IoT Products
Researchers at Nozomi Networks Labs observed the defect affecting the implementation of DNS in all versions of uClibc & uClibc-ng, popular C standard libraries found in many IoT products, they revealed in a blog post this week.
“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Nozomi’s Giannis Tsaraias & Andrea Palanca wrote.
In a DNS ‘poisoning attack,’ also known as DNS spoofing & DNS cache poisoning – an attacker deceives a DNS client into accepting a forged response. This forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one.
Affected Devices
The potential of this issue is huge, as major vendors such as Linksys, Netgear & Axis, as well as Linux distributions such as Embedded Gentoo, use uClibe in their devices. Also, uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers deployed throughout various critical infrastructure sectors, researchers stated. Specific devices impacted by the bug were not disclosed as part of this research.
If an attacker mounts a successful DNS poisoning attack on an affected device, they also can perform a subsequent man-in-the-middle attack, researchers explained. This is because by poisoning DNS records, they can re-route network communications to a server under their control, researchers observed.
Compromise
“The attacker could then steal and/or manipulate information transmitted by users & perform other attacks against those devices to completely compromise them,” researchers wrote. “The main issue here is how DNS poisoning attacks can force an authenticated response.”
Researchers are currently working with the maintainer of the uClibe library to develop a fix for the vulnerability, which leaves devices vulnerable, they outlined.
Because of this, Nozomi researchers have declined to disclose specific details of the device on which they were able to reproduce the flaw to keep attackers at bay, they revealed.
DNS as a Target
News of the DNS vulnerability brings a reminder of last year’s Log4Shell flaw, which sent ripples of concern within the cyber-security community when it was discovered in December because of its scope.
The problem affects the very common open-source Apache Log4j framework—found in countless Java apps used across the internet. In fact, a recent report found that the flaw continues to put millions of Java apps at risk, though a patch exists for the defect.
Though it affects a separate set of targets, the DNS flaw also has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP, researchers suggested.
Related IP Address
DNS is a hierarchical database that serves the integral purpose of translating a domain name into its related IP address. To distinguish the responses of different DNS requests aside from the usual 5-tuple–source IP, source port, destination IP, destination port, protocol & the query, each DNS request includes a parameter called “transaction ID.”
The transaction ID is a unique number per request that is generated by the client & added in each request sent. It must be included in a DNS response to be accepted by the client as the valid 1 for request, researchers noted.
“Because of its relevance, DNS can be a valuable target for attackers,” they observed.
Vulnerability & Exploitation
Researchers discovered the flaw while reviewing the trace of DNS requests performed by an IoT device, they stated. They noticed something abnormal in the pattern of DNS requests from the output of Wireshark.
The transaction ID of the request was at 1st incremental, then reset to the value 0x2, then was incremental again.
Related Executable
“While debugging the related executable, trying to understand the root cause, we eventually noticed that the code responsible for performing the DNS requests was not part of the instructions of the executable itself, but was part of the C standard library in use, namely uClibc 0.9.33.2,” they explained.
Researchers performed a source code review & found that the uClibc library implements DNS requests by calling the internal “__dns_lookup” function, which is located in the source file “/libc/inet/resolv.c.”
Lines of Code
Eventually they found fault with some of the lines of code in the library—specifically line #1240, #1260, #1309, #1321 & #1335, to which they could attribute the anomaly in the DNS request pattern, which makes the transaction ID predictable, researchers explained.
This predictability creates a scenario in which an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server to exploit the issue, researchers observed.
Source Port
“It is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port,” they explained.
To exploit the defect also depends on how an OS applies randomisation of source port, which means an attacker would have to brute-force the 16-bit source port value by sending multiple DNS responses, while simultaneously beating the legitimate DNS response, researchers added.
Mitigation
Researchers explained, because the bug remains patched on millions of IoT devices, it is not disclosing the specific devices vulnerable to attack. In the interim, Nozomi Networks recommends that network administrators increase their network visibility and security in both IT & Operational Technology environments.
“This vulnerability remains unpatched; however we are working with the maintainer of the library & the broader community in support of finding a solution,” they wrote.
