Researchers investigating a vulnerability in security cameras from Axis Communications ended up uncovering a far more wide-ranging threat when they discovered that the flaw actually lies within a toolkit used by myriad Internet of Things product developers.
The stack buffer overflow bug, designated CVE-2017-9765 and nicknamed Devil’s Ivy by its discoverers at IoT security firm Senrio, affects 249 different camera models from Axis. If exploited, it allows attackers to remotely access video feeds or cut off the device owner’s access to the feed. “Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded,” Senrio wrote in a Tuesday blog post that was accompanied by a technical analysis.
After it Senrio privately disclosed its findings in mid-May, Axis Communications promptly issued a firmware patch to resolve the bug. But it turned out that the problem transcends the camera manufacturer: “It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree,” warned Senrio in its post, adding that the extent to which these other products can be exploited “cannot be determined at this time.”
“Because it allows for remote code execution, the access that you get with each IOT device is different,” explained M. Carlton, VP of research at Senrio, in an interview in SC Media. “The impact varies from device to device, but the threat is still there.”
The reason why the flaw is found in so many additional products is because it specifically resides in gSOAP (Simple Object Access Protocol), a software development toolkit for web services used by a broad array of companies. The tookit is developed and managed by the company Genivia, which lists Adobe, IBM, Microsoft and Xerox among its customers.
In late June, Genivia, issued its own Devil’s Ivy patch, which IoT manufacturers that use gSOAP can apply to secure their products. According to Senrio, vulnerable servers are the most likely devices to be exploited via Devil’s Ivy, but unpatched client devices are also susceptible.
Senrio’s Carlson said her research team named the vulnerability Devil’s Ivy “due to its ability to spread quickly through code reuse” and because it can “highly difficult to weed out” of affected devices.
In an email, Genivia downplayed the vulnerability, calling it an “obscure” bug that is exposed when applicable devices “run server configurations that are not preferred or recommended by Genivia.” Using the recommended configuration would likely resolve the problem, the company added.
Genivia noted that the bug could cause a “crash of the service or misbehavior after 2 GB is received by the server application.” However, “receiving a huge 2 GB amount of data is not required or supported by these devices, regardless whether or not the gSOAP software is used.”
John Bambenek, threat research manager at Fidelis Cybersecurity, offered reassurance that Devil’s Ivy was not poised to be the next Mirai IoT botnet. “Several unrelated factors need to be present to make this vulnerability weaponizable into an exploit,” Bambenek said. Still, “it is a reminder that organizations need to pay attention to the shared libraries they use in their own code and take steps to continuously integrate patches into their own code.”