Executive Summary

Summary
Title uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID
Informations
Name VU#473698 First vendor Publication 2022-05-09
Vendor VU-CERT Last vendor Modification 2023-04-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Overall CVSS Score 6.5
Base Score 6.5 Environmental Score 6.5
impact SubScore 4.2 Temporal Score 6.5
Exploitabality Sub Score 2.2
 
Attack Vector Network Attack Complexity High
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact Low Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.

Description

The uClibc and the Uclibc-ng software are lightweight C standard libraries intended for use in embedded systems and mobile devices. The uClibc library has not been updated since May of 2012. The newer uClibc-ng is the currently maintained fork of uClibc, as announced on the OpenWRT mailing list in July 2014.

Researchers at the Nozomi Networks Security Research Team discovered that all existing versions of uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning. These libraries do not employ any randomization in the DNS Transaction ID (DNS TXID) field when creating a new DNS request. This can allow an attacker to send maliciously crafted DNS packets to corrupt the DNS cache with invalid entries and redirect users to arbitrary sites. As uClibc and uClibc-ng are used in devices such as home routers and firewalls, an attacker can perform attacks against multiple users in a shared network environment that relies on DNS responses from the vulnerable device.

The DNS cache poisoning scenarios and defenses are discussed in IETF RFC5452.

Impact

The lack of DNS response validation can allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to malicious sites.

Solution

Apply a patch

If your vendor has developed a patched version of uClibc or uClibc-ng to address this issue, apply the updates provided by your vendor. uClibc-ng was updated to 1.0.41 on 05/20/2022.

Product Developers

If you have a forked or customized version of uClibc or uClibc-ng, develop or adopt a patch to ensure the dns_lookup function provides adequate randomization of DNS TXID's while making DNS requests. Review and consider applying the patch has been made available in patchwork repository of uClibc-ng with VU#638879 tag.

Follow security best practices

Consider the following security best-practices to protect DNS infrastructure:

  • Prevent direct exposure of IoT devices and lightweight devices over the Internet to minimize attacks against a caching DNS server.
  • Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS recursion services where applicable.
  • Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).

Acknowledgements

Thanks to the Nozomi Networks Security Research Team for this report

This document was written by Vijay Sarvepalli and Timur Snoke.

Original Source

Url : https://kb.cert.org/vuls/id/473698

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-330 Use of Insufficiently Random Values

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 2

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Date Informations
2023-04-04 17:22:10
  • Multiple Updates
2023-02-22 17:22:09
  • Multiple Updates
2022-08-29 17:22:01
  • Multiple Updates
2022-07-12 17:22:01
  • Multiple Updates
2022-07-06 21:22:00
  • Multiple Updates
2022-06-06 17:21:57
  • Multiple Updates
2022-05-27 21:22:01
  • Multiple Updates
2022-05-26 21:22:01
  • Multiple Updates
2022-05-23 17:21:56
  • Multiple Updates
2022-05-16 21:34:40
  • Multiple Updates
2022-05-11 21:17:44
  • Multiple Updates
2022-05-10 21:17:43
  • Multiple Updates
2022-05-10 00:29:39
  • Multiple Updates
2022-05-10 00:17:42
  • Multiple Updates
2022-05-09 21:29:54
  • Multiple Updates
2022-05-09 21:17:45
  • First insertion