"Many IoT Devices Exposed to Attacks Due to Unpatched Flaw in uClibc Library"

Nozomi Networks, a firm specialized in securing operational technology (OT) and IoT systems, has recently disclosed a potentially severe vulnerability affecting a C standard library used by several major companies.  The affected library is uClibc, which is designed for developing embedded Linux systems.  According to the official uClibc website, the library is used by Linksys and Netgear for their wireless routers and by Axis for its network cameras.  uClibc-ng is a fork for the OpenWRT router operating system and is also impacted by the vulnerability.  The security hole, tracked as CVE-2022-05-02, can be exploited for DNS poisoning attacks against affected devices.  The researchers stated that there is no patch for the vulnerability, but its disclosure will hopefully lead to the development of a fix.  The vulnerability was discovered by Nozomi researchers last year, but the developer initially appeared unresponsive.  The developer finally responded in March, saying that they could not fix the vulnerability on their own and asked that it be publicly disclosed in hopes that the community could help address it.  Since a patch has yet to be released, Nozomi has not disclosed the names of any impacted products but described them as a “range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure.”

SecurityWeek reports: "Many IoT Devices Exposed to Attacks Due to Unpatched Flaw in uClibc Library"