Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

2022-05-04 00:34

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products.

The issue, which was originally reported in September 2021, affects the Domain Name System implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems.

"The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device," Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.

DNS poisoning, also referred to as DNS spoofing, is the technique of corrupting a DNS resolver cache - which provides clients with the IP address associated with a domain name - with the goal of redirecting users to malicious websites.

Successful exploitation of the bug could allow an adversary to carry out Man-in-the-Middle attacks and corrupt the DNS cache, effectively rerouting internet traffic to a server under their control.

"The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them," the researchers said.

News URL

https://thehackernews.com/2022/05/unpatched-dns-related-vulnerability.html

#DNS #IOT #vulnerability