Author: Tom Spring / Source: Threatpost | The first stop for security news
Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them.
The vulnerability, dubbed Devil’s Ivy, was identified by researchers at Senrio, who singled out high-end security cameras manufactured by Axis Communications. Senrio said 249 models of 251 Axis cameras are vulnerable to unauthenticated remote attackers who can intercept a video feed, reboot cameras, or pause a video feed while conducting a crime.
Researchers said Axis Communications isn’t alone, reporting 34 companies use the same underlying flawed software; including Microsoft, IBM, Xerox and Adobe. Those companies are part of the ONVIF Forum, an unofficial international consortium of hardware vendors.
Researchers believe bad code used in a software library responsible for the bug originated from the ONVIF Forum, which is responsible for maintaining software and networking protocols used by members. “While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse,” researchers said.
The vulnerability is in the communication layer of a software library used in those devices called gSOAP, which is a widely used web services development tool for XML enabling devices to talk to the internet, researchers wrote on a technical blog explaining the vulnerability on Tuesday. Approximately six percent of the forum members use gSOAP, Senrio said.
The vulnerability allows a remote adversary to flood the targeted device over port 80 with data and create a simple buffer overflow attack. Next, researchers say, the adversary can send a specially…
Click here to read more