This unpatched DNS bug could put ‘well-known’ IoT devices at risk
IoT security researchers at Nozomi Networks have warned that a popular library for the C programming language is at risk for DNS cache-poisoning attacks. The bug in the library is roughly 10 years old, and could not be fixed by the owners and maintainers of the library. Security researcher Andrea Palanca was the first to discover the flaw, which is an implementation error of in the uClibc and uClibc-ng C libraries. The libraries are used in several popular IoT products and generates predictable transaction identifiers in order to conduct DNS response and request network communications.
The library’s owners ceased maintaining it in 2012 after the release of newer products. UClibc-ng is designed for use in Open WRT, which is a common OS for routers and may be in use in different critical infrastructures. Since the bug is unpatched, Palanca and Nozomi have decided not to disclose the specific IoT tests to avoid further risks from threat actors.