A critical remotely exploitable vulnerability is discovered in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.
Researchers at Senrio discovered a stack buffer overflow vulnerability (CVE-2017-9765), dubbed as Devil’s Ivy. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP(Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.
This vulnerability was discovered when analysing a Axis communication security camera.When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Here is the video demonstrating the attack:
Axis confirmed that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras and have released the patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.
The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP . Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.
The full technical breakdown can be found here.
1. Keep physical security devices off of the public internet : As of July 1st, a search of Shodan indicated over 14,700 Axis dome cameras publicly accessible to anyone in the world. All the cameras that are vulnerable to Devil’s Ivy are potentially exploitable. Devices like security cameras should be connected to a private network, which will make exploitation much more difficult.
2. Defend IoT devices as much as possible : If you can place a firewall or other defensive mechanism in front of an IoT device, or utilize Network Address Translation (NAT), you can reduce their exposure and improve the likelihood of detecting threats against them.
3. Patch : Patching IoT devices is not always possible, even when the underlying OS is something familiar, like Windows XP. When a manufacturer does release a patch, make sure you update your devices as soon as possible. If this is not within your control, place other layers of security between your vulnerable device and the external internet.