Critical vulnerability in UClibc C programming library affects major IoT device manufacturers

Researchers from security firm Nozomi Networks detailed the finding of a critical vulnerability residing in uClibc, a standard C library used by large enterprises around the world. This library is designed to develop embedded Linux systems and, according to its website, is employed by Internet of Things (IoT) devices manufactured by firms such as Linksys, Netgear, and Axis.

Tracked as CVE-2022-05-02, the vulnerability could be exploited to launch DNS poisoning attacks against affected devices. According to the researchers, “threat actors could trick a DNS client into accepting spoofed responses, inducing certain programs to perform network communications with an arbitrary endpoint that supplants the legitimate one.”

As many users may already know, DNS poisoning allows the deployment of Man-in-The-Middle (MiTM) attacks, as attackers can redirect network communications to a server under their control. Attackers could then steal or manipulate information transmitted by users and perform other attacks against affected devices.

This security issue was identified last year, although uClibc developers were slow to respond to Nozomi’s report. The team behind the library finally responded last March, mentioning that they had failed to address the vulnerability on their own, so they decided to carry out the public disclosure so that the cybersecurity community can collaborate in its correction.

Affected device vendors were alerted to the flaw in early 2022, so each firm was able to issue its own recommendations and workarounds to mitigate exploitation risk.

In the absence of a patch, Nozomi opted to keep the names of the affected products secret, although they conclude their report by mentioning that a wide range of IoT devices running their latest firmware versions could be affected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.