Open Source Flaw ‘Devil’s Ivy’ Puts Millions of IoT Devices at Risk | Software
Millions of IoT devices are vulnerable to cybersecurity attacks due to a vulnerability initially discovered in remote security cameras,
Senrio reported this week.
The firm found the flaw in a security camera developed by Axis Communications, one of the world’s biggest manufacturers of the devices.
The Model 3004 security camera is used for security at the Los Angeles International Airport and other places, according to Senrio.
The problem turned out to be a stack buffer overflow vulnerability, which the firm dubbed “Devil’s Ivy.”
Axis notified the security firm that 249 different models of the camera were affected by the vulnerability. It found only three models that were unaffected.
Buried Deep
The problem lies deep in the communication layer of
gSOAP, an open source third-party toolkit that is used by all kinds of device makers for IoT technology, according to Senrio.
gSOAP manager Genivia reported that the toolkit has been downloaded more than 1 million times, according to Senrio. Most of the downloads likely involved developers. Major companies including IBM, Microsoft, Adobe and Xerox are customers of the firm.
Genivia
issued a new patch for gSOAP within 24 hours of being alerted to the vulnerability, and said it notified customers of the problem, according to CEO Robert van Engelen.
The obscure flaw was caused by an intended integer underflow, followed by a second unintended integer underflow that triggered the bug, he told LinuxInsider.
“The trigger happens when at least 2 GB of XML data is uploaded to a Web server,” van Engelen explained. “This bug was not discovered by proprietary static analysis tools or by our source code users who looked at the source code since 2002.
Certain ONVIF devices act as Web servers, making them vulnerable when configured to accept more than 2 GB of XML data, he noted.
Wide-Ranging Problem
Many large manufacturers are using the same source, the ONVIF forum, for their networking protocol libraries, noted Ryan Spanier, director of research at
Kudelski Security.
Because it is a shared library, the vulnerability exists in a large number of devices, he told LinuxInsider.
“Companies regularly integrate hardware and software into their devices that they did not write themselves,” Spanier said. “In some ways, this is similar to the Mirai botnet, but in that case they targeted an insecure backdoor present in a chip used by multiple camera manufacturers.”
The Mirai botnet, which struck last year, was one of the biggest incidents ever recorded, targeting the KrebsOnSecurity blog with a massive DDoS attack that measured 620 gigabytes per second.
An incident like Devil’s Ivy was inevitable, observed Bryan Singer, director of industrial cybersecurity services at
IOActive.
“In the veritable push to technology, it is all too common that the drive towards first-to-market functionality will badly outpace solid, secure design,” he told LinuxInsider. “Unfortunately, this head-smack moment is all too common.”
Vendors need to audit components appropriately for security purposes, Dustin Childs, communications manager for Trend Micro’s zero day initiative, told LinuxInsider, as “misunderstood or poorly implemented open source software allows attackers a path to bypass security mechanisms.”
The post Open Source Flaw ‘Devil’s Ivy’ Puts Millions of IoT Devices at Risk | Software appeared first on Nigerian News 24/7 | ElotiTV.com.
by Eloti TV via Nigerian News 24/7 | ElotiTV.com
Comments
Post a Comment