CVE-2026-29125 Overview
CVE-2026-29125 affects IDC SFX2100 satellite receivers manufactured by Datacast. The firmware sets the /etc/resolv.conf file to be world-writable, allowing any local user to modify DNS resolver settings. An attacker with local access can tamper with DNS resolution to redirect network traffic, facilitate man-in-the-middle attacks, or cause denial of service. The weakness is classified under [CWE-732] Incorrect Permission Assignment for Critical Resource.
Critical Impact
Local users can rewrite /etc/resolv.conf to redirect device DNS lookups, enabling traffic interception and service disruption on affected SFX2100 receivers.
Affected Products
- Datacast SFX2100 satellite receiver hardware
- Datacast SFX2100 firmware (all versions, no fixed version published)
- Deployments relying on default firmware permissions for /etc/resolv.conf
Discovery Timeline
- 2026-03-05 - CVE-2026-29125 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29125
Vulnerability Analysis
The SFX2100 firmware ships with /etc/resolv.conf configured with world-writable permissions. Any authenticated local user can overwrite the file without elevated privileges. Because /etc/resolv.conf controls how the device resolves hostnames, an attacker can substitute arbitrary nameserver entries. Subsequent outbound connections, including firmware update checks, telemetry, and management traffic, may resolve to attacker-controlled hosts. The attack requires local access and elevated complexity, but produces high availability impact and broader integrity consequences across dependent services. See the Abdulmhs Blog Vulnerability Analysis for the full technical write-up.
Root Cause
The firmware build process assigns permission mode 0666 (or equivalent world-writable mode) to /etc/resolv.conf. Standard Linux convention restricts write access on this file to root only. The misconfiguration violates the principle of least privilege and falls under [CWE-732]. No access control list or mandatory access control policy compensates for the loose permissions.
Attack Vector
An attacker first obtains local shell access on the SFX2100, for example through a low-privilege service account, exposed debug interface, or chained vulnerability. The attacker writes new nameserver directives into /etc/resolv.conf, pointing the resolver at a host they control. From there, the attacker can intercept plaintext protocols, deliver spoofed responses for unauthenticated update endpoints, or block resolution entirely to cause denial of service. No code execution primitive is required because the operating system trusts the file contents directly.
No verified proof-of-concept code is published. Refer to the Abdulmhs Blog Vulnerability Analysis for the disclosed technical details.
Detection Methods for CVE-2026-29125
Indicators of Compromise
- /etc/resolv.conf permissions set to 0666 or otherwise writable by non-root users
- Unexpected nameserver entries in /etc/resolv.conf pointing to untrusted IP addresses
- DNS responses for vendor or management hostnames resolving to attacker-controlled infrastructure
- Outbound DNS traffic from SFX2100 devices directed at hosts outside the approved resolver list
Detection Strategies
- Audit file permissions on /etc/resolv.conf across all SFX2100 devices and flag any non-root writable result
- Compare current resolver entries against a known-good baseline collected immediately after provisioning
- Capture and inspect DNS traffic from receiver subnets for queries to unapproved upstream resolvers
- Correlate authentication events on the device with subsequent changes to system configuration files
Monitoring Recommendations
- Enable file integrity monitoring on /etc/resolv.conf and other configuration files in /etc
- Forward device syslog to a centralized SIEM and alert on resolver changes
- Track DNS egress at the network boundary and restrict receivers to approved resolvers via firewall rules
How to Mitigate CVE-2026-29125
Immediate Actions Required
- Restrict /etc/resolv.conf to root ownership with 0644 permissions on every SFX2100 unit
- Limit local shell access to the device and remove unused service accounts
- Place SFX2100 receivers on a segmented network with egress filtering for DNS traffic
- Inventory all deployed SFX2100 firmware versions and prioritize remediation on internet-exposed devices
Patch Information
No vendor patch is referenced in the published advisory at the time of writing. Operators should monitor Datacast communications for firmware updates that correct the default permissions on /etc/resolv.conf. Until a fix is released, apply the manual permission hardening and network controls described in this section.
Workarounds
- Manually reset permissions with chmod 644 /etc/resolv.conf and chown root:root /etc/resolv.conf after each reboot if the firmware resets them
- Use a startup script or cron job to enforce correct permissions and validate resolver contents
- Force DNS traffic through an upstream firewall that only permits approved resolvers, neutralizing tampered entries
- Make /etc/resolv.conf immutable with chattr +i /etc/resolv.conf if the platform supports the extended attribute
# Configuration example
chown root:root /etc/resolv.conf
chmod 644 /etc/resolv.conf
chattr +i /etc/resolv.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
