Jump to content

Coding Library Vulnerability May Trickle Down to Thousands of IoT Devices


CrAKeN

Recommended Posts

DevilIvy.jpg

 

A vulnerability codenamed Devil's Ivy is putting thousands of Internet-connected devices at risk of hacking.

 

Discovered by security researchers from Senrio, the flaw affects gSOAP, a C/C++ library widely used in the development of firmware for embedded devices.

 

gSOAP is a dual licensed (free and commercial) product developed by Genivia, who on its website says the library will help companies in the "development of [...] products [that] meet the latest industry standards for XML, XML Web services, WSDL and SOAP, REST, JSON, WS-Security, WS-Trust with SAML, WS-ReliableMessaging, WS-Discovery, TR-069, ONVIF, AWS, WCF, and more."

 

Vulnerability initially discovered in security camera firmware


Senrio researchers initially discovered the vulnerability while analyzing the firmware of the Axis M3004 security camera.

 

After contacting the camera vendor with their findings, Axis told Senrio that the Devil's Ivy vulnerability affects 249 of 252 security camera models the company makes, which use firmware that includes the gSOAP toolkit.

 

The vulnerability is a simple buffer overflow, but Senrio researchers have managed to use it to execute code on the Axis security camera. A video recorded by researchers is embedded below, demoing the attack:

 

Devil’s Ivy Exploit in Axis Security Camera

 

Axis has issued firmware updates for some of the affected devices. Genivia, the company behind gSOAP, has also released version 2.8.48 on June 21, a version that includes a patch for Devil's Ivy.

 

Devil's Ivy flaw affects "thousands of devices"


The problem is that gSOAP is very popular among many IoT and networking equipment vendors. On their website, Genivia claims the library was downloaded over one million times.

 

The library is one of the coding tools recommended by the ONVIF Forum, an unofficial international group of hardware vendors that issues recommendations on networking-related best practices.

 

According to data obtained by Senrio, about 6% of all the ONVIF members use gSOAP for their products. Senrio estimates that "thousands of devices" may be vulnerable to Devil's Ivy.

 

A technical report detailing the vulnerability is available here. Devil's Ivy is tracked as CVE-2017-9765.

 

 

Source

Link to comment
Share on other sites


  • Replies 0
  • Views 452
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...