TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-058-001
Countries: IN, CN
Report Date: 20180222

“Devil’s Ivy” - Affecting Millions of IoT Devices  

A vulnerability in a piece of code titled gSOAP, also known as, “Devil’s Ivy,” is widely being exploited in physical security products. This could potentially allow attackers to fully disable or take over thousands of models of internet-connected devices, from security cameras to sensors and access-card readers.  The flaw, a stack-based buffer overflow, was discovered by IoT security researchers in a camera from Axis Communications[1], one of the world’s largest security camera manufacturers.

Impact

The vulnerability, which is explained in CVE-2017-9765, can be exploited to cause a denial-of-service (DoS) condition and to execute arbitrary code. Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document, aka Devil's Ivy.” [2]

Figure 1. Axis Camera

If exploited the vulnerability allows attackers to remotely access a video feed or deny the owner with the access of the feed. The vulnerability impacts 250 Axis camera models, however, the impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Senrio has also published an advisory.[3]             

Prevention and Mitigation Strategies

Wapack Labs customers should follow these recommendations to prevent and mitigate the vulnerability:

  • Keep IoT devices off the Internet, unless absolutely necessary
  • The devices should be placed behind firewall or defensive mechanisms. Users can utilize Network Address Translation (NAT) to reduce their exposure and improve the likelihood of detecting threats against their defensive mechanism.
  • Keep your devices updated with latest patches and change passwords often.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com

 

[1] https://www.axis.com/

[2] https://nvd.nist.gov/vuln/detail/CVE-2017-9765

[3] http://blog.senr.io/devilsivy.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!