DNS poisoning affects millions of routers and IoT devices

Millions of routers from Linksys and Netgear and other IoT products are affected by an unresolved dns vulnerability. Security researchers at Nozomi Networks Labs discovered CVE-2022-05-02, a bug in the dns implementation in two popular C libraries. uClibc and uClibc-ng are mainly used in routers and IoT products.

111509 linksys vs netgear

The administrator says that he has not been able to develop a solution himself. Therefore, with a 30-day waiting period, the security hole was finally published, in the hope that someone else would manage to implement a fix. In addition to Netgear and Linksys, Axis Communications also uses the uClibc library, as does the Linux distribution Embedded Gentoo. uClibc-ng is a fork designed specifically for the router OS OpenWRT.

111507 figure 2 trace of dns requests
The transaction ids in the red outline are predictable.

The vulnerability is caused by the predictability of transaction identifiers. These are generated when processing dns requests. Attackers can perform so-called dns poisoning by finding out the transaction ids. When a user enters a web address an incorrect ip address is then returned.

111506 figure 3 dns lookup function111505 figure 4 dns lookup function
The value last_id can be predicted and filled in by the attacker.

This allows victims to be redirected to malicious websites without noticing. The attacker could steal or manipulate information and perform further attacks on the device. The biggest problem is that it is hard to tell whether the correct or a poisoned ip address is being returned.

Due to the severity of the vulnerability and the lack of a fix, no details have been disclosed about the affected devices.


Inschrijven voor onze nieuwsbrief

* indicates required

Selecteer op welke manier we u mogen contacteren:

U kunt op ieder moment zich uitschrijven op onze emails door op de link te klikken in de voet van onze emails. Voor meer informatie omtrent privacy, bezoek onze website.

Wij gebruiken Mailchimp als ons marketing platform. Door onderaan op inschrijven te klikken stem je toe dat uw emailadres zal worden doorgegeven aan mailchimp om te verwerken. Lees hier meer over Mailchimp's verwerking van privacy data.