Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

The security issue was disclosed to over 200 vendors in January but is yet to be fixed.

Advertisement
By Jagmeet Singh | Updated: 4 May 2022 18:58 IST
Highlights
  • Researchers at Nozomi Networks have discovered the issue
  • Netgear has acknowledged its existence and impact on some devices
  • The vulnerability enables attackers with predictability of unique IDs
Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

Attackers could exploit the vulnerability to redirect users to malicious websites

Photo Credit: Reuters

Routers and connected devices including network cameras from companies including Netgear, Linksys, and Axis as well as the ones using Linux distributions such as Embedded Gentoo are found to be affected by a domain name system (DNS) poisoning flaw that exists in two popular libraries used for connected devices. Exact models impacted by the vulnerability are not revealed by the researchers who have discovered its existence since the loophole is yet to be patched. However, the vulnerable libraries have been used by a large number of vendors, including some of the renowned router and Internet of Things (IoT) device makers.

The researchers at IT security firm Nozomi Networks said that the DNS implementation of all versions of libraries uClibc and uClibc-ng carried the DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal the information shared through the affected devices. The issue was first discovered last year and was disclosed to over 200 vendors in January.

While uClibc has been used by vendors including Netgear, Linksys, and Axis and is a part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork that is design for OpenWRT — the popular open-source operating system for routers. This shows the extensive scope of the flaw that could impact a large number of users around the world.

The vulnerability in both libraries enables attackers to predict a parameter called transaction ID that is normally a unique number per request generated by the client to protect communication through DNS.

Advertisement

In a normal situation, if the transaction ID is not available or is different from what has been generated at the client side, the system discards the response. However, since the vulnerability brings predictability of the transaction ID, an attacker can predict the number to eventually spoof the legitimate DNS and redirect requests towards a fake Web server or a phishing website.

The researchers also noted that DNS poisoning attacks also enable attackers to initiate subsequent Man-in-the-Middle attacks that could help them steal or manipulate information transmitted by users or even compromise the devices carrying the vulnerable libraries.

Advertisement

"Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure," said Andrea Palanca, a security researcher at Nozomi Networks.

The maintainer of uClibc-ng wrote in an open forum that they were not able to fix the issue at their end. Similarly, uClibc has not received an update since 2010, as per the details available on the downloads page of the library, as noticed by Ars Technica.

Advertisement

However, device vendors are currently working on evaluating the issue and its impact.

Netgear issued a statement to acknowledge the impact of the vulnerability on its devices.

"Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting some products. Netgear is assessing which products are affected. All Netgear products use source port randomisation and we are not currently aware of any specific exploit that could be used against the affected products," the company said.

It also assured that it would continue to investigate the issue, and, if a fix would become available in the future, would evaluate whether the fix is applicable for the affected Netgear products.

Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the flaw and will update this article when they respond.


Asus India's Arnold Su joins this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement
Popular Mobile Brands
  1. Redmi Pad 2 With 11-Inch 2.5K Display, 9,000mAh Battery Launched in India
  2. iQOO Z10 Lite 5G With 6,000mAh Battery Launched in India: Price, Features
  3. Nothing Headphone 1 Price, Colour Options Leaked Ahead of Launch
  4. Vivo X200 FE Launch Date, Colours, and Design Revealed Ahead of Launch
  5. Axiom-4 Mission Launch Postponed for the Sixth Time, Know Why
  6. Apple Back to School Offer Brings Discounts on iPad Air, Other Products
  1. Nothing Phone 3 to Offer Longer Android and Security Update Support Than Its Predecessor
  2. Boat Wave Fortune Smartwatch With NFC Tap & Pay Feature, Bluetooth Calling Launched in India
  3. Government Announces FASTag-Based Annual Pass for Highway Commutes Priced at Rs. 3,000: See Benefits
  4. Adobe Firefly App for Android and iOS Announced, Offers AI-Powered Image and Video Tools
  5. Axiom-4 Mission Carrying Shubhanshu Shukla to International Space Station Postponed to June 22
  6. Bungie Delays Marathon, Says Will Reveal New Release Date This Fall
  7. Vivo T4 Ultra Now Available for Purchase in India: See Price, Offers, Specifications
  8. Infinix Note 50s 5G+ Now Available in a New 6GB RAM and 128GB Storage Variant in India
  9. Redmi K80 Ultra Design, Colours, and Key Features Revealed; to Get MediaTek Dimensity 9400+ SoC
  10. Xiaomi Mix Flip 2 Confirmed to Launch Later This Month With Leica-Branded Cameras
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.