Researchers have found that an unpatched Domain Name System (DNS) bug enables attackers to deploy “DNS poisoning” attacks against millions of IoT devices and routers. The bug is 10 years-old and does not have a ready fix.

The bug exists within popular standard C libraries; uClibc and uClibc-ng, which help generate predictable, incremental transaction identifiers (IDs) in DNS response and network communications.

The bug was reported to ICS-CERT roughly six months ago, and the fact that it remains unpatched serves as a reminder of the challenges associated with open source code security.

If successful in exploiting the vulnerability, hackers can potentially take control over systems.

Devices affected

The flaw affects products from as many as 200 major vendors, including Linksys, Netgear, Axis and Linux. Specific products impacted by the bug were not formally named in the research.

What is a DNS poisoning attack?

In a DNS poisoning attack, also known as DNS spoofing or DNS cache poisoning, an attacker tricks a client device into accepting a false response. When this occurs, it forces a program to perform network communications with an arbitrarily defined endpoint rather than the legitimate one.

Possible consequences

Successful DNS poisoning attacks allow for man-in-the middle attacks, and the re-routing of network communications to a server under attacker control. In such circumstances, attackers could then steal or manipulate user information or perform other attacks against devices in order to further compromise them.

Cyber security experts are currently working with the manager of a certain code library in order to create a fix for the vulnerability.

DNS as target – technical insights

This DNS vulnerability has parallels to last year’s Log4Shell flaw, which sent shockwaves through the cyber security community. Although the DNS flaw affects a different set of targets, it retains a broad scope on account of the inherent importance of DNS to any device connecting over IP.

DNS reflects a hierarchical database that serves the integral purpose of translating a domain name into a relevant IP address. In distinguishing the responses of different DNS requests, every request includes transaction parameters, known as a “transaction ID”.

The transaction ID is a unique number associated with the request. It’s generated by the client and included in each request sent. The transaction ID needs inclusion within a DNS response in order to be accepted by the client as the valid one for request.


The bug exists on millions of IoT devices. Until a patch is released, experts recommend that network administrators increase their network visibility and security in both IT and Operational Technology environments.

Researchers are working with the owner of the code library and the broader community in order to develop a solution. Public disclosure of the bug is expected to yield greater collaboration around a creative technical management.

Organizations that use IoT and router devices are encouraged to keep an eye on new firmware releases from vendors and to apply updates as soon as they become available.

For the latest insights into security for code vulnerabilities, check out CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.