A New DNS Spoofing Threat Endangers Millions of Devices

Posted by Marbenz Antonio on May 11, 2022

Security News - Trending Topics | IT Security | Myra Security

Two prominent C standard libraries that offer methods for typical DNS operations have a major vulnerability that might lead to DNS spoofing attacks, according to security experts.

The vulnerability was discovered by Nozomi Networks Labs in the Uclibc and uClibc-ng libraries, which offer methods for performing typical DNS operations including lookups and converting domain names to IP addresses.

Uclibc is used by major vendors like Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, while uClibc-ng is “a fork specifically designed for OpenWRT, a common OS for routers that could be deployed across various critical infrastructure sectors,” according to the researchers.

At the time of writing, the vulnerability had not been fixed. That’s why Nozomi Networks Labs isn’t revealing the specifics of the equipment used to recreate the flaw.

Understanding DNS Spoofing Attacks

Domain Name Systems are a key component of the internet. They’re used by browsers to get the IP address of certain services. When you enter the browser consult a DNS service to find the appropriate servers.

Most DNS services are provided by default by ISPs, so customers don’t have to manually configure them, however, private DNS services can be purchased. You can even set your own DNS, but only if you’re sure what you’re doing, as trying to configure something you don’t completely understand can lead to security problems.

Threat actors frequently employ DNS spoofing or poisoning to add illegal IP addresses to the DNS server’s cache. The purpose is to send users to rogue servers controlled by hackers, where they may steal passwords or install malware. Even if it’s only transitory (for example, cache invalidation), it’s enough to compromise a large number of devices.

Because such rerouting is difficult to identify, you may feel you’re visiting your favorite website when you’re actually viewing a malicious replica.

MITM (Man In The Middle) attacks can affect DNS services. When authorities and governments seek to shut down unlawful websites, for example, they utilize DNS blocking to redirect visitors to a page explaining their actions.

The C Library DNS Vulnerability

Nozomi Labs discovered a trend in DNS lookups using C libraries (see screenshot below). The transaction ID is first incremental, then resets to 0x2, before being incremental once again.

As a result, hackers may guess transaction IDs and launch DNS assaults under specified circumstances.

To locate the core reason, the researchers looked into libuClibc- and discovered assignments that explained the pattern. A variable “initialized with the value of the transaction ID of the last DNS request” is utilized in the DNS lookup function.

It should be highlighted that knowing the specific source port and “winning the race against the valid DNS request” are required to exploit the issue, therefore this isn’t a backdoor or normal defective code.

It does not imply that the exploit is more difficult than normal; rather, it is dependent on a number of circumstances. Nonetheless, hackers may guess the source port and transaction ID, which are required for a DNS client to accept a DNS answer.

The code does not randomize the source port, as the researchers discovered. As a result, the poisoning attack can occur if the operating system employs stable or predictable source code, which is quite likely.

Unfortunately, even if the system randomizes the source port, attackers may still brute-force the port value, therefore this isn’t a fix.

How to Protect Against the DNS Threat

At the time of writing, there is no fix available, and even if there were, the time required to spread it across all possibly impacted devices would be enormous. The C library’s maintainer was unable to resolve the issue and has requested assistance.

Nozomi notified more than 200 suppliers about the issue 30 days before it was made public.

The compromised devices, according to the researchers, are “well-known IoT devices running the latest firmware.” Administrators should install the latest patches for all manufacturers and keep an eye on future firmware releases.

All actions to harden network and DNS security are advised from an IT standpoint. CISA has published a thorough guide that may be used to assess the situation.

It is critical to be alert from the standpoint of end-users. A quick URL change in the browser is the most visible indicator of a DNS assault.

You should definitely set your browser to always use HTTPS and watch for any signs of a false page, such as uncommon typos and language errors, or suspicious design eccentricities like a bogus logo.

Unfortunately, in other circumstances, the deceit is so clever, such as a flawless clone, that you won’t be able to see the hazard.

VPN providers are increasingly offering innovative security features that may effectively block known malware and minimize MITM attacks. In any event, trust your instincts and exit the domain if you see something unusual.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights