An exposure due to vulnerability in the domain name system (DNS) component of C standard library that exists in extensive range of IoT products may push many devices into risk.
DNS implementation is necessary in the library as it provides a mechanism to take care of DNS-related requests such as translating domain names to IP addresses lookups etc.
After few analysis it was understood that DNS lookup request’s transaction ID could be anticipated, due to this DNS poisoning is highly possible in certain circumstances. DNS poisoning is practically tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it.
According to researchers at Nozomi Networks, a fix is not currently available from the developer of uClibc, leaving products of up to 200 vendors at risk.
"Because this vulnerability remains unpatched, for the safety of the community, we cannot disclose the specific devices we tested on," says Nozomi. "We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructures."
IoT users should be well aware before applying new firmware from vendors, they should not blindly say yes as soon as they know about the latest updates.