Date: July 30, 2017
Researchers with IoT cyber security outfit Senrio,discovered a serious stack buffer overflow vulnerability – “Devil’s Ivy” in gSOAP, an open source, a third-party code library used by thousands of IoT by many different manufacturers.
It was unearthed during their analysis of the remote configuration service of a web camera manufactured by Axis Communications.
Senior Researchers said,
“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. And, since these cameras are meant to secure something, like a bank lobby, this could lead to the collection of sensitive information or prevent a crime from being observed or recorded.”
The result of consecutive exploitation could be even more intense if other types of IoT devices use a vulnerable version of gSOAP.
But analysts say that exploiting this kind of flaw up to the extent of spreading the IoT worms like Mirai is not easy.
Also, the exploit requires the attacker to load at least a 2 GB file to the Web interface of victim’s device and a common device doesn’t accept such a big file upload.
Adding another point to it, to create a universal attack tool, different devices should respond to such an upload similarly which again is very difficult.
Researchers have alerted Axis Communications of their discovery. The Company quickly responded to it and found that 249 of their camera models have Devil’s Ivy present in them.
Axis Communications have found and released a patched firmware for it. They requested customers and partners to upgrade it.
The management company of gSoAP library, Genivia, released a new version (18.104.22.168) with a patch of the flaw, in June.
According to Senrio researchers, the extent to which devices are exploited is difficult to determine at present. Genivia numbers suggest that library has been downloaded million of times.
This flaw is present in the third-party code base that is adopted by many companies.
The ONVIF forum, an organization responsible for maintaining software and networking protocols relies on gSOAP to support the ONVIF specifications, and approximately 6% of the forum members use gSOAP.
All manufacturers should proactively, fix the Devil’s Ivy. They should even request users to update their firmware.
Users can also demand a fix and should connect their security devices to the private network and should even install other security measures.
Training solutions include the gold standard HIPAA credential, Certified HIPAA Professional (CHP) and our world’s first compliance and cyber security credential, Certified Security Compliance Specialist (CSCS).
ecfirst is a HITRUST Authorized CSF Assessor.
Many clients engage ecfirst extensively for the flexible services that range from on-demand consulting to its managed compliance services programs that covers training, policies, remediation, risk assessment, technical vulnerability assessments penetration testing and much more.