Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

A flaw in all versions of the popular C standard libraries uClibc and uClibc-ng can allow for DNS poisoning attacks against target devices.

An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found.

Researchers at Nozomi Networks Labs discovered the flaw affecting the implementation of DNS in all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products, they revealed in a blog post this week.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Nozomi’s Giannis Tsaraias and Andrea Palanca wrote in the post.

Infosec Insiders Newsletter

In a DNS poisoning attack– also known as DNS spoofing and DNS cache poisoning–an attacker deceives a DNS client into accepting a forged response. This forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one.

Numerous Affected Devices

The scope of the flaw is vast, as major vendors such as Linksys, Netgear and Axis, as well as Linux distributions such as Embedded Gentoo, use uClibe in their devices. Meanwhile, uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers deployed throughout various critical infrastructure sectors, researchers said. Specific devices impacted by the bug were not disclosed as part of this research.

Moreover, if an attacker mounts a successful DNS poisoning attack on an affected device, they also can perform a subsequent man-in-the-middle attack, researchers said. This is because by poisoning DNS records, they can re-route network communications to a server under their control, researchers said.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” researchers wrote. “The main issue here is how DNS poisoning attacks can force an authenticated response.”

Researchers are currently working with the maintainer of the uClibe library to develop a fix for the vulnerability, which leaves devices vulnerable, they said. Because of this, Nozomi researchers have declined to disclose specific details of the device on which they were able to reproduce the flaw to keep attackers at bay, they said.

DNS as a Target

News of the DNS vulnerability brings reminders of last year’s Log4Shell flaw, which sent ripples of concern within the cybersecurity community when it was discovered in December because of its scope. The flaw affects the ubiquitous open-source Apache Log4j framework—found in countless Java apps used across the internet. In fact, a recent report found that the flaw continues to put millions of Java apps at risk, though a patch exists for the flaw.

Though it affects a different set of targets, the DNS flaw also has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP, researchers said.

DNS is a hierarchical database that serves the integral purpose of translating a domain name into its related IP address. To distinguish the responses of different DNS requests aside from the usual 5-tuple–source IP, source port, destination IP, destination port, protocol–and the query, each DNS request includes a parameter called “transaction ID.”

The transaction ID is a unique number per request that is generated by the client and added in each request sent. It must be included in a DNS response to be accepted by the client as the valid one for request, researchers noted.

“Because of its relevance, DNS can be a valuable target for attackers,” they observed.

The Vulnerability and Exploitation

Researchers discovered the flaw while reviewing the trace of DNS requests performed by an IoT device, they said. They noticed something abnormal in the pattern of DNS requests from the output of Wireshark. The transaction ID of the request was at first incremental, then reset to the value 0x2, then was incremental again.

“While debugging the related executable, trying to understand the root cause, we eventually noticed that the code responsible for performing the DNS requests was not part of the instructions of the executable itself, but was part of the C standard library in use, namely uClibc,” they explained.

Researchers performed a source code review and found that the uClibc library implements DNS requests by calling the internal “__dns_lookup” function, which is located in the source file “/libc/inet/resolv.c.”

Eventually they found fault with some of the lines of code in the library—specifically line #1240, #1260, #1309, #1321 and #1335, to which they could attribute the anomaly in the DNS request pattern, which makes the transaction ID predictable, researchers said.

This predictability creates a scenario in which an an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server to exploit the flaw, researchers said.

“It is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port,” they explained.

To exploit the flaw also depends on how an OS applies randomization of source port, which means an attacker would have to bruteforce the 16-bit source port value by sending multiple DNS responses, while simultaneously beating the legitimate DNS response, researchers added.


Researchers explained, because the bug remains patched on millions of IoT devices, it is not disclosing the specific devices vulnerable to attack. In the interim, Nozomi Networks recommends that network administrators increase their network visibility and security in both IT and Operational Technology environments.

“This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution,” they wrote.

Suggested articles