A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack.
Researchers at IoT security firm Senrio discovered the Devil's Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. The bug occurs when sending a large XML file to a vulnerable system's web server.
The flaw itself lies in gSOAP, an open source web services code library maintained by Genivia, which is imported by the Axis camera's remote configuration service. Senrio researchers were able to use the flaw to continually reboot the camera or change network settings and block the owner from viewing the video feed.
They were also able to reset the camera to factory default, which will prompt the attacker to change the credentials, giving them exclusive access to the camera feed.
Axis Communications confirmed that 249 of its 251 surveillance camera models were affected by the flaw, tagged as CVE-2017-9765. It released a firmware update on July 10 to address the issue.
"Products exposed and accessible from public Internet (via router port-forward or UPnP NAT) are at much higher risk and need immediate attention," Axis notes in its advisory. It believes the risk is "limited" for cameras behind a firewall.
According to Senrio, as of July 1 there were about 14,000 Axis cameras exposed on the internet.
But as the security firm notes, this bug "goes far beyond" Axis communications kit thanks to gSOAP's widespread use and will likely remain exposed on devices for a long time. Genivia counts Adobe, IBM, Microsoft, and Xerox as customers and claims gSOAP has been downloaded more than a million times.
Genivia explains in its advisory: "a potential vulnerability to a large and specific XML message over 2GB in size (greater than 2147483711 bytes to trigger the software bug). A buffer overflow can cause an open unsecured server to crash or malfunction after 2GB is received."
The bug is also likely going to remain unpatched for some time.
"We named the vulnerability Devil's Ivy because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse," said Senrio.
"Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate."