A range of routers and Internet of Things devices from Netgear, Linksys and other manufacturers could be critically vulnerable to a DNS poisoning bug. The bug was discovered within a third party code library utilized in a wide range of hardware and software.
More specifically, the bug was found in uClibc and uClibc fork uClibc-ng, which is used in routers, switches, network-enabled devices and even Gentoo Linux.
The risk puts devices that use in uClibc and the uClibc fork uClibc-ng library at potential risk of DNS poisoning. Hardware at risk includes Linksys and Netgear routers, Axis network cameras, Gentoo Linux, Tuxscreen Linux phones and a range of other devices.
Apparently, up to 200 vendors utilize in uClibc and uClibc fork uClibc-ng in their products. These C standard libraries perform essential tasks, including DNS request handling such as DNS lookups and IP address translation.
In theory, anyone who can exploit this vulnerability will be able to poison DNS requests between the device or software and the destination. The result could be that users are sent to hacked or cloned websites rather than the real thing, with obvious consequences.
There is currently no fix for this vulnerability. Manufacturers have had over 6 months to come up with one, as the vulnerability was discovered in September 2021.
All vendors are apparently working on a resolution that will be made available as a patch as soon as one is ready. You can keep track of progress with ICS-VU-638779 and VU#473698 via Google Search.
The only fix possible right now is to monitor your hardware vendor for updates and to keep an eye on your web traffic. There is very little else you can do.
The good news is that there has yet to be a report of this vulnerability being actively exploited- for now, at least.
So, what is DNS poisoning and what harm can it do?
DNS poisoning enables a bad actor to intercept a DNS request from a network and supplement the legitimate IP address with a spoofed one. For example, if your router performed a DNS lookup for your bank, the bad actor could replace the legitimate IP address with that of a cloned website.
When the site opened in your browser, it would look and feel legitimate. You would be able to log in with your username and password. You would be unlikely be able to do much else though. The website would have captured your bank username and password and will have provided it to the hacker for them to use.
This has obvious consequences, leaving only the two-factor authentication stage to overcome, which could be done with a little social engineering and open source lookups.
As you can imagine, this bug is relatively low risk. However, that is cold comfort to anyone who uses Gentoo Linux or one of the network devices implicated with the flaw.
That’s made even worse by the inability for manufacturers to alert owners due to also alerting those bad actors!