Security researchers have found that it is possible to conduct domain name system (DNS) poisoning attacks against Internet of Things devices, thanks to a bug in the popular uClibc and uClibc-ng standard C libraries.
Although the bug was disclosed last year, it remains unpatched as the maintainer has not been able to develop a fix for it.
An attacker can predict transaction IDs in DNS requests that the libraries generate, allowing DNS poisoning attacks that can be used to redirect traffic and spoof legitimate websites.
An unknown number of devices are affected by the vulnerability, but Nozomi said it has been disclosed to over 200 vendors.
According to their respective official websites, uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo.
uClibc-ng is a fork specifically designed for OpenWRT, "a common OS for routers possibly deployed throughout various critical infrastructure sectors," Nozomi researchers Giannis Tsaraias and Andrea Palanca wrote.
The Nozomi researchers disclosed the vulnerability to the Computer Emergency Response Team (CERT) at the United States government Cybersecurity and Infrastructure Agency (CISA) in September last year.
Carnegie Mellon's CERT coordination centre invited the Nozomi researchers to join their Vulnerability Information and Coordination Environment (VINCE) platform, through which the flaw was disclosed to vendors.
They also contacted the maintainer of the open source project, who said he has been unable to develop a fix for the bug.
Nozomi said it won't disclose the exact devices that have the vulnerable library implementations as there is no fix for the bug yet.
The security vendor is working with the maintainer and the broader developer community to come up with a patch for the problem.