In fact, there are millions of IoT devices that are vulnerable to a critical security flaw residing in the DNS component of a C Standard library that all sorts of firmware developers make use of.  That means that right now, there are literally millions of ticking time bombs out there and one or more of them could be connected to your network.

There are two libraries to be aware of here:  uClibc and its fork, developed by the OpenWRT team.  You'll find major companies like Linksys, Axis, and Netgear making use of both on a regular basis, and you'll even find it in some Linux distributions.

Unfortunately, at the time this article was written, there are no fixes available from the developer which leaves the products of more than 200 different vendors at risk.

Essentially, the flaw relies on a predictable transaction ID for DNS lookup requests.  It is that predictability that creates the vulnerability and allows a clever hacker to "trick" a vulnerable device into pointing to an arbitrarily defined end point specified by the hacker, which would have the effect of rerouting your network traffic to a server under the control of the hackers.

As you can imagine, that would cause no end of trouble for you and your company. That is because the hackers would then have perfect visibility into everything you do on your network and would be able to inject any sort of malware into any system on your network.

There's no simple solution here except to disconnect any vulnerable IoT devices from your network and contact the developers who maintain the library and demand immediate action.  A fix is currently in the works, but adding your voice to the rapidly growing chorus can't hurt.

Used with permission from Article Aggregator