New DNS Spoofing Threat Puts Millions of Devices at Risk

Security researchers have uncovered a critical vulnerability that could lead to DNS spoofing attacks in two popular C standard libraries that provide functions for common DNS operations.

Nozomi Networks Labs found the vulnerability in the Uclibc and uClibc-ng libraries, which provide functions to make common DNS operations such as lookups or translating domain names to IP addresses.

Uclibc is used by major vendors such as Linksys, Netgear, and Axis, and Linux distributions such as Embedded Gentoo, while uClibc-ng is “a fork specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors,” the researchers wrote.

The vulnerability remains unpatched at the time of writing. That’s the reason why Nozomi Networks Labs is not disclosing the details of the devices to reproduce the vulnerability.

Also read: Best Patch Management Software & Tools

Understanding DNS Spoofing Attacks

Domain Name Systems are a fundamental mechanism of the web. Browsers use them to obtain the IP address for a specific service. For example, when you enter https://www.esecurityplanet.com/, the browser queries a DNS service to reach the matching servers.

ISPs provide most DNS services by default for convenience, so users don’t have to manually configure them, but it’s possible to buy private DNS services. You can even set your own DNS but it’s not recommended unless you know what you’re doing, as you might create security holes trying to configure something you don’t fully understand.

DNS spoofing or poisoning is massively used by threat actors to add unauthorized IP addresses in the DNS server’s cache. The goal is to redirect the victims to rogue servers owned by the hackers to steal credentials or install malware. Even if it’s only temporary (e.g., cache invalidation), it can be sufficient to compromise lots of devices.

Such rerouting is hard to detect, so if you don’t pay enough attention, you might believe you are browsing your favorite website when it’s actually a malicious copy.

DNS services are indeed prone to MITM (Man In The Middle) attacks. For example, when authorities and governments want to take down illegal websites, they use DNS blocking to reroute the traffic to a page that explains their action.

Also read: How to Prevent DNS Attacks

The C Library DNS Vulnerability

Nozomi Labs found a pattern in the DNS lookups made with the C libraries (see screenshot below). The transaction ID is at first incremental, then resets to the value 0x2, then is incremental again.

Hackers could thus predict such transaction IDs and perform DNS attacks under specific conditions.

The researchers explored libuClibc-0.9.33.2 to find the root cause and found assignments that explain the pattern. The function used to perform a DNS lookup contains a variable “initialized with the value of the transaction ID of the last DNS request.” 

It should be noted that it’s not sufficient to exploit the vulnerability, as the hackers would need to know the exact source port and “win the race against the legitimate DNS request,” so it’s not a backdoor or a typical flawed code.

It does not mean the difficulty of the exploit is higher than usual, but it depends on a combination of various factors. Nonetheless, hackers can predict two parameters that are essential to make a DNS client accept a DNS response: the source port and the transaction ID.

The researchers noticed the code does not randomize the source port. As a result, if the operating system uses a fixed or predictable source code, which is quite possible, the poisoning attack can occur.

Unfortunately, even if the system randomizes the source port, the attackers can still try to brute-force the port value, so it’s not a remediation.

See the Top 10 Open Source Vulnerability Assessment Tools

How to Protect Against the DNS Threat

Again, there’s no patch available at the time of writing, and even if there was one, the necessary time to deploy it on all potentially affected devices would be significant. The maintainer of the C library was not able to fix the problem and has asked for help.

Nozomi disclosed the vulnerability to more than 200 vendors with a 30-day notice before the public release.

According to the researchers, the affected devices are “well-known IoT devices running the latest firmware.” Admins need to apply the latest updates to all vendors and watch for the next firmware releases.

From the IT perspective, all measures to harden network and DNS security are recommended. CISA released a comprehensive guide you can use to evaluate the situation.

From an end users’ perspective, it’s essential to stay vigilant. The most obvious sign of a DNS attack is a sudden URL change in the browser.

You should probably configure your browser to force HTTPS everywhere, and look for any traces of counterfeit pages such as unusual typos and grammar mistakes, or suspicious quirks in the design like a fake logo.

Unfortunately, in rare cases, the deception is highly sophisticated, like a perfect clone, so you cannot detect the threat visually.

VPN providers now offer interesting security features that can block known malware and mitigate MITM attacks significantly. In any case, if you see something really strange, trust your instinct and leave the domain.

Read next: Top Vulnerability Management Tools

Julien Maury
Julien Maury is a backend developer, a mentor and a technical writer. He loves sharing his knowledge and learning new concepts.

Top Products

Related articles