Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

The security issue was disclosed to over 200 vendors in January but is yet to be fixed.

Advertisement
By Jagmeet Singh | Updated: 4 May 2022 18:58 IST
Highlights
  • Researchers at Nozomi Networks have discovered the issue
  • Netgear has acknowledged its existence and impact on some devices
  • The vulnerability enables attackers with predictability of unique IDs
Routers, Network Cameras From Netgear, Linksys, and Others Affected Due to DNS Poisoning Flaw

Attackers could exploit the vulnerability to redirect users to malicious websites

Photo Credit: Reuters

Routers and connected devices including network cameras from companies including Netgear, Linksys, and Axis as well as the ones using Linux distributions such as Embedded Gentoo are found to be affected by a domain name system (DNS) poisoning flaw that exists in two popular libraries used for connected devices. Exact models impacted by the vulnerability are not revealed by the researchers who have discovered its existence since the loophole is yet to be patched. However, the vulnerable libraries have been used by a large number of vendors, including some of the renowned router and Internet of Things (IoT) device makers.

The researchers at IT security firm Nozomi Networks said that the DNS implementation of all versions of libraries uClibc and uClibc-ng carried the DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal the information shared through the affected devices. The issue was first discovered last year and was disclosed to over 200 vendors in January.

While uClibc has been used by vendors including Netgear, Linksys, and Axis and is a part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork that is design for OpenWRT — the popular open-source operating system for routers. This shows the extensive scope of the flaw that could impact a large number of users around the world.

The vulnerability in both libraries enables attackers to predict a parameter called transaction ID that is normally a unique number per request generated by the client to protect communication through DNS.

Advertisement

In a normal situation, if the transaction ID is not available or is different from what has been generated at the client side, the system discards the response. However, since the vulnerability brings predictability of the transaction ID, an attacker can predict the number to eventually spoof the legitimate DNS and redirect requests towards a fake Web server or a phishing website.

The researchers also noted that DNS poisoning attacks also enable attackers to initiate subsequent Man-in-the-Middle attacks that could help them steal or manipulate information transmitted by users or even compromise the devices carrying the vulnerable libraries.

Advertisement

"Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure," said Andrea Palanca, a security researcher at Nozomi Networks.

The maintainer of uClibc-ng wrote in an open forum that they were not able to fix the issue at their end. Similarly, uClibc has not received an update since 2010, as per the details available on the downloads page of the library, as noticed by Ars Technica.

Advertisement

However, device vendors are currently working on evaluating the issue and its impact.

Netgear issued a statement to acknowledge the impact of the vulnerability on its devices.

"Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting some products. Netgear is assessing which products are affected. All Netgear products use source port randomisation and we are not currently aware of any specific exploit that could be used against the affected products," the company said.

It also assured that it would continue to investigate the issue, and, if a fix would become available in the future, would evaluate whether the fix is applicable for the affected Netgear products.

Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the flaw and will update this article when they respond.


Asus India's Arnold Su joins this week's Orbital, the Gadgets 360 podcast, to talk about how the PC maker is planning to grow its presence in the country. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement
Popular Mobile Brands
  1. OnePlus 13s Set to Launch in India Tomorrow: Know Price, Specifications
  2. Poco F7 Launch Timeline, Key Specifications Leaked Ahead of Debut
  3. OnePlus 13s Key Specifications, Features Revealed via Amazon Listing
  4. Realme 15 5G Could Arrive in These Colourways and Memory Configurations
  5. Samsung Galaxy Z Fold 7, Z Flip 7 May Be Unveiled at New York Unpacked Event
  6. Best Smartphones Under Rs 25,000 in India: Check List
  7. Vivo T4 Ultra to Launch in India on This Date
  8. AirPods Pro 2, AirPods 4 May Get New Head Gestures, Camera Control, More
  9. Apple's iPhone 18 Pro Models Could Debut With a 2nm A20 Chip in 2026
  1. Stolen Now Streaming on Amazon Prime Video: What You Need to Know About its Cast, Plot, and more
  2. IO Interactive Reveals James Bond Origin Story Game 007 First Light, Set for Release in 2026
  3. Xiaomi 16 Tipped to Arrive With 7,000mAh Battery, Display Size Leaked
  4. Bazooka OTT Release Reportedly Revealed Online: What You Need to Know
  5. Oppo Reno 14F 5G Listed on NBTC Site, Hints at Key Specifications
  6. Samsung Could Unveil Galaxy Z Fold 7 & Z Flip 7 at New York Unpacked Event: Details Inside
  7. Meta Aria Gen 2 Glasses to Offer Advanced Hand and Eye Tracking, PPG Sensor, and More
  8. AirPods Pro 2, AirPods 4 to Reportedly Get New Head Gestures, Camera Control and Other Features
  9. WazirX Restructuring Plan Rejected By Singapore High Court; Crypto Firm to Appeal Decision
  10. Realme 15 5G to Be Available in Four Memory Configurations, Three Colour Options: Report
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.