• Home
  • Laptops
  • Laptops News
  • Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

The security issue was disclosed to over 200 vendors in January but is yet to be fixed.

Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

Photo Credit: Reuters

Attackers could exploit the vulnerability to redirect users to malicious websites

Highlights
  • Researchers at Nozomi Networks have discovered the issue
  • Netgear has acknowledged its existence and impact on some devices
  • The vulnerability enables attackers with predictability of unique IDs

Routers and connected devices including network cameras from companies including Netgear, Linksys, and Axis as well as the ones using Linux distributions such as Embedded Gentoo are found to be affected by a domain name system (DNS) poisoning flaw that exists in two popular libraries used for connected devices. Exact models impacted by the vulnerability are not revealed by the researchers who have discovered its existence since the loophole is yet to be patched. However, the vulnerable libraries have been used by a large number of vendors, including some of the renowned router and Internet of Things (IoT) device makers.

The researchers at IT security firm Nozomi Networks said that the DNS implementation of all versions of libraries uClibc and uClibc-ng carried the DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal the information shared through the affected devices. The issue was first discovered last year and was disclosed to over 200 vendors in January.

While uClibc has been used by vendors including Netgear, Linksys, and Axis and is a part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork that is design for OpenWRT — the popular open-source operating system for routers. This shows the extensive scope of the flaw that could impact a large number of users around the world.

The vulnerability in both libraries enables attackers to predict a parameter called transaction ID that is normally a unique number per request generated by the client to protect communication through DNS.

In a normal situation, if the transaction ID is not available or is different from what has been generated at the client side, the system discards the response. However, since the vulnerability brings predictability of the transaction ID, an attacker can predict the number to eventually spoof the legitimate DNS and redirect requests towards a fake Web server or a phishing website.

The researchers also noted that DNS poisoning attacks also enable attackers to initiate subsequent Man-in-the-Middle attacks that could help them steal or manipulate information transmitted by users or even compromise the devices carrying the vulnerable libraries.

"Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure," said Andrea Palanca, a security researcher at Nozomi Networks.

The maintainer of uClibc-ng wrote in an open forum that they were not able to fix the issue at their end. Similarly, uClibc has not received an update since 2010, as per the details available on the downloads page of the library, as noticed by Ars Technica.

However, device vendors are currently working on evaluating the issue and its impact.

Netgear issued a statement to acknowledge the impact of the vulnerability on its devices.

"Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting some products. Netgear is assessing which products are affected. All Netgear products use source port randomisation and we are not currently aware of any specific exploit that could be used against the affected products," the company said.

It also assured that it would continue to investigate the issue, and, if a fix would become available in the future, would evaluate whether the fix is applicable for the affected Netgear products.

Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the flaw and will update this article when they respond.


Asus India's Arnold Su joins this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Google Pixel Buds Pro Tipped to Launch Soon, Colour Variants Leaked
Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2022. All rights reserved.