A flaw in a widely-used code library has left millions of security cameras and other IoT devices vulnerable to remote attackers.
Security firm Senrio discovered the remote code execution flaw, dubbed Devil’s Ivy, while analyzing one dome camera from Swedish firm Axis Communications. The surveillance camera giant has confirmed that 249 camera models were also affected; only two of its older models were unaffected.
The flaw itself however resides in a widely-used third-party code library called gSOAP (Simple Object Access Protocol), a toolkit that allows devices to communicate on the internet. gSOAP's role as a common communications library means the bug likely affects many more devices than just Axis cameras.
The kit is maintained by US firm Genivia, which sells it with enterprise support and makes it available as an open source product. Genivia, which boasts IBM, Microsoft, Adobe and Xerox as customers, has released an update to fix the issue.
Besides Axis Communications products, it likely affects millions of devices from other brands that use gSOAP. Around six percent of members of the ONVIF forum use gSOAP, according to Senrio. ONVIF helps ensure software interoperability for physical security products made by nearly 1,000 of its members.
"Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines," wrote Senrio.
"While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse," it added.
As Senior explains, it chose the name Devil’s Ivy "because, like the plant, it is nearly impossible to kill and spreads quickly through code reuse."
"Its source in a third-party toolkit downloaded millions of times means that it has spread to thousands of devices and will be difficult to entirely eliminate."
In the case of Axis, an attacker can gSOAP flaw to remotely access a video feed or create a denial of service, blocking the owner from accessing their feed. Both impacts are significant given Axis’ cameras are used to monitor airports, banks, energy facilities, retailers, and stadiums the world over.
Axis Communications released a firmware update and advisory on July 10 describing the bug as critical.
Axis notes that cameras exposed to the internet are at a “much higher risk and need immediate attention”. There was a lower risk for devices behind a firewall, though it still urged customers to update these products.
“Axis Linux based products supporting SOAP WebServices use an imported open- source package affected by a critical vulnerability. The flaw (stack buffer overflow), allows an attacker to crash the SOAP WebServices daemon (DOS-attack). The flaw can also be exploited by a skilled and determined attacker to execute arbitrary code on the product. As a precaution, Axis recommends to patch products with the latest available firmware,” it said.
Senrio’s July 1 search of Shodan found 14,700 Axis dome cameras exposed on the internet.