After months of work by industrial control systems (ICS) cybersecurity teams, a fix for a widespread Domain Name System (DNS) poisoning bug still hasn’t been found. Now they’re asking for help from the wider cybersecurity community.
A blog post from a team of ICS analysts at Nozomi Networks explained the flaw exists in all versions of the widely used C standard library for Internet of Things (IoT) gear called uClibc, as well as uClibc-ng, which is a special version for OpenWRT, a “common OS for routers deployed throughout various critical infrastructure sectors.”
As such, the bug exists in big name-brand products from Linksys, Netgear, and Axis, and in Linux distributions such as Embedded Gentoo. Since January, the vulnerability has been disclosed to 200+ vendors, and it likely affects millions of installed devices.
Additional specifics on the devices affected aren’t being provided publicly because the DNS bug is still unpatched, but Nozomi provided details on the bug and its exploitability after the library’s maintainer was unable to develop a fix — in hopes of soliciting help from the community.
The impact of an exploit could be significant: “Because of its relevance, DNS can be a valuable target for attackers,” the research team explained in the post. “In a DNS poisoning attack, an attacker is able to deceive a DNS client into accepting a forged response, thus inducing a certain program into performing network communications with an arbitrarily defined endpoint, and not the legitimate one.”
Once successful, the attacker could alter or intercept network traffic to compromise connected devices, the team said.
“A DNS poisoning attack enables subsequent Man-in-the-Middle attacks because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control.” the Nozomi team warned. “The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them.”