CVE-2015-5987

Vulnerability

Belkin F9K1102 v2 routers with firmware version 2.10.17 (and possibly earlier) use an improper algorithm for selecting the DNS transaction ID (TXID) in outgoing DNS queries. The TXID starts at 0x0002 and increases incrementally with each query. This issue is classified as CWE-330 (Use of Insufficiently Random Values) per the CERT/CC VU#201168 advisory [1].

Exploitation

An attacker with the ability to spoof DNS responses (e.g., by being on the same network and performing a man-in-the-middle attack, or by controlling a rogue DNS server that can intercept queries) can predict the next TXID value. Since the TXID is the only validation check in standard DNS over UDP, the attacker can craft a forged DNS response with the correct TXID and deliver it before the legitimate response arrives, causing the router to accept the malicious response [1].

Impact

Successful exploitation allows the attacker to redirect the router's DNS queries—including those for firmware update servers and NTP servers—to attacker-controlled hosts. This can lead to the installation of malicious firmware, denial of service, or further compromise of network devices [1].

Mitigation

Belkin has not released a patched firmware version for this vulnerability as of the last revision of the advisory (2016-09-22). Users are advised to disable remote management, use strong administrative passwords, and consider replacing the device if no update becomes available. The product may be end-of-life; no mitigation is available from the vendor [1].