Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug

Cybersecurity analysts published information Monday about a potentially serious unpatched bug in code for internet of things (IoT) devices because they want the public's help in fixing the problem, which could affect technology used in critical infrastructure.

The vulnerability is in a library for the C programming language — uClibc / uClibc-ng — that is commonly used in creating software for IoT products, reported researchers at Nozomi Networks, which specializes in securing industrial control systems (ICS) used by manufacturers, public utilities and other critical infrastructure sectors.

The flaw could allow attackers to perform "DNS poisoning attacks" against a target device, essentially confusing how it recognizes activity from the internet domain name system (DNS). Such a disruption could then create an opportunity for far more destructive activity, "because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control," the researchers wrote.

"The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them," Nozomi Networks said.

The company said it went public with information about the unpatched vulnerability because even after a long disclosure process, the maintainer of the uClibc library was "unable to develop a fix." Nozomi Networks' goal is to work "with the maintainer of the library and the broader community in support of finding a solution," the researchers wrote.

The bug could affect millions of IoT devices, Nozomi Networks said, because the uClibc and uClibc-ng library "is known to be used by major vendors such as Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo." The researchers, with caution in mind, did not publish information about any specific devices affected by the vulnerability.

Nozomi Networks Labs has disclosed an unpatched vulnerability affecting the DNS of popular C standard libraries potentially in use by millions of #IoT devices.

Read the blog: https://t.co/qrGLvcnogT pic.twitter.com/a6ylXBUNfy

— Nozomi Networks (@nozominetworks) May 2, 2022

Nozomi Networks' has a particular interest in the bug because uClibc-ng is "specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors."

The interaction of IoT devices with traditional ICS technology has drawn more attention in recent years as industry and government have paid more attention to cyberthreats against critical infrastructure.

The company said that after it discovered the bug, it disclosed it to ICS-CERT — the federal Cybersecurity and Infrastructure Security Agency's office for cyberthreats against ICS technology — in September 2021. Nozomi Networks said it notified vendors on April 1 that it would be disclosing the bug Monday.