Nozomi DNS poisoning bug affects OpenWrt?

After months of work by industrial control systems (ICS) cybersecurity teams, a fix for a widespread Domain Name System (DNS) poisoning bug still hasn't been found. Now they're asking for help from the wider cybersecurity community.

A blog post from a team of ICS analysts at Nozomi Networks explained the flaw exists in all versions of the widely used C standard library for Internet of Things (IoT) gear called uClibc, as well as uClibc-ng, which is a special version for OpenWRT, a "common OS for routers deployed throughout various critical infrastructure sectors."

Just went here to ask/inform about the same. I didn't found any reference in maillist nor commits fixing it, so I was wondering if devs were even informed about this bug

OpenWrt switched from using uClibc to musl by default already back in 2015, so no, unless you're running a really, really old version or you're using a custom build with uClibc.

1 Like

Vanilla OpenWrt is unaffected as it uses musl libc since quite a while, as pointed out by @WereCatf already.

Many OEM forks of OpenWrt utilize a version based on Chaos Calmer 15.05 though, which still uses an equally old version of uclibc. Those versions might be affected. Unfortunately the OpenWrt project is not in a position to provide patches for those versions.

7 Likes

Where is the code affected by this? Has it been validated that it isn't vulnerable? Just saying it uses a different C library doesn't make it fixed. I'm not saying you're wrong, but I'd like to ensure my router is safe.

Sample code from libc is here: https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-dns-bug-in-popular-c-standard-library-putting-iot-at-risk/

You are entirely free to check the code yourself at https://musl.libc.org/

2 Likes