A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices. Especially, security cameras, to a remote attack.
IoT security firm Senrio discovered the Devil’s Ivy, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. The bug occurs when sending a large XML file to a vulnerable system’s web server.
The flaw itself lies in gSOAP, an open source web services code library, which is imported by the Axis camera’s remote configuration service. The flaw reboots the camera or change network settings and block the owner from viewing the video feed.
Axis Communications confirmed that 249 of its 251 surveillance camera models affected by the flaw, tagged as CVE-2017-9765. According to Senrio, about 14,000 Axis cameras exposed on the internet.
Products exposed and accessible from public Internet are at much higher risk and need immediate attention. It believes the risk limited for cameras behind a firewall. Axis Communications’ cameras are widely used by enterprise firms across the globe.
Genivia, the company behind the gSOAP, more than 34 companies use the same underlying flawed software, including Microsoft, IBM, Xerox and Adobe. The researchers found that the flaw deep inside the software, and it can exploited by an attacker to execute code remotely on an affected device.
A potential vulnerability to a large and specific XML message over 2GB in size. A buffer overflow can cause an open, unsecured server to crash or malfunction after 2GB received. The bug is also likely going to remain unpatched for some time.
Senrio said, its source in the third-party toolkit means it spread thousands of devices and difficult to eliminate. Genivia has released a patch for this flaw. Axis did not immediately respond to a request for comment.