The software vulnerability, which Senrio dubbed “Devil’s Ivy,” was introduced by a third-party software library, would allow an attacker who could connect to an Axis camera from the public Internet to take control of it, even if she did not know the user name and password required to log into the device. As of July 1st, a search of Shodan indicated over 14,700 Axis dome cameras publicly accessible to anyone in the world, Senrio said.
“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded,” Senrio wrote.
Axis has since patched software for 294 models of cameras affected by the vulnerability. However, the vulnerable library in question is used by hundreds and possibly thousands of other applications and may impact an untold number of devices of all shapes and sizes.
“Code reuse is often just vulnerability reuse,” said M. Carlton*, Vice President of Research at Senrio, who discovered the flaw. “When you bring in a 3rd party library you trust it and that’s how it finds its way into thousands or tens of thousands of devices.”
In the case of the Devil’s Ivy vulnerability, the problem is with an open source third-party code library, called gSOAP, which is a common implementation of the Simple Object Access Protocol (SOAP) that allows devices of all types to communicate over the Internet. gSOAP, which is managed by the firm Genivia.
Carlton said gSOAP is a widely used web services library by developers around the world.Genivia claims to have more than 1 million downloads of gSOAP. The company counts IBM, Microsoft, Adobe and Xerox as customers. On Sourceforge gSOAP was downloaded 30,000 times in 2017 alone. In part, that’s because of the number and variety of platforms that gSOAP runs on. The Genivia website notes that gSOAP runs on Windows 32 and 64 bit systems all the way back to Windows XP as well as many versions of Linux, Unix, Solaris and mobile- and embedded operating systems like iOS, Raspberry Pi and others.
Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines. And any software or device manufacturers who rely on the gSOAP library to support their services are affected by Devil’s Ivy, Senrio warned.
As bad as that sounds, the true impact of Devil’s Ivy may be worse. That’s because Axis is one of thousands of companies that are part of the ONVIF forum, an organization responsible for maintaining a range of general purpose software and networking protocols used in physical security products. That means that the Devil’s Ivy gSOAP vulnerability may have also found its way into the products of hundreds of ONVIF forum members.
“It is likely that tens of millions of products — software products and connected devices — are affected by Devil’s Ivy,” Senrio warned. However, it may be difficult to assess the full extent of their exposure, said Carlton. In the case of the Axios cameras, the gSOAP code that was implemented was not specifically identified as such, making it unclear where the code came from, Carlton said. Software or hardware makers that use gSOAP may be unaware of where and how frequently is used across their product base.
This is just the latest problem in the so-called “software supply chain” with widespread impact. The Heartbleed vulnerability, discovered in the OpenSSL open source software, prompted a rash of emergency patches and was used in at least some targeted attacks. Three years after it was first discovered, Heartbleed continues to plague organizations worldwide.
Senrio advised companies to keep physical security devices off of the public Internet when possible and to protect them from Internet-based attacks using a firewall or other protective measures. Patching devices, when possible, is a must.
“We forget or don’t realize that many of the devices we use everyday are computers,” Carlton told Security Ledger. “They are just as vulnerable, if not more, vulnerable as the PC you sit in front of everyday.”
Correction: an earlier version of this story incorrectly identified Senrio’s VP of Research, M. Carlton.