Was the Devil’s Ivy Vulnerability a Dud? Don’t Count on It.

In-brief: The Devil’s Ivy vulnerability in the open source gSOAP library is widespread and supposedly trivial to exploit. So why, one month later, haven’t we seen any attacks? Is Devil’s Ivy a dud? ‘Don’t count on it,’ security experts tell us.

In July, the warnings were all about the so-called “Devil’s Ivy” vulnerability, a security flaw in a common open source library, gSOAP, that affected hundreds of thousands – if not millions of devices worldwide. Now, almost a month later, there has been little evidence that hackers are using the widespread security flaw to aid them in attacks.

So, was Devil’s Ivy a dud? And were reports warning of the danger of a widespread and easy to exploit software hole overblown? ‘Don’t count on it,’ say security experts. The Devil’s Ivy vulnerability is almost certain to be used in attacks, though ‘when,’ ‘where’ and ‘why’ are questions that are difficult to answer.

Assaf Harel, the Chief Technology Officer at Karamba Security believes the worst is yet to come and likened Devil’s Ivy to the Windows vulnerability dubbed “Eternal Blue” that was discovered and ‘weaponized’ by the U.S. National Security Agency, and then leaked to the public and adopted by cyber criminal groups and nation-state hackers. Like that vulnerability, Devil’s Ivy – which allows attackers to run malicious code on systems that are vulnerable – is widespread and not difficult to trigger. Simple scans can locate exposed gSOAP interfaces. For example, a scan using the Shodan search engine returns more than 3 million hits, most for systems using un-patched versions of gSOAP.

M. Carlton, the researcher who discovered the flaw, said gSOAP is a widely used web services library by developers around the world. Genivia, which maintains the library, claims to have more than 1 million downloads of gSOAP and counts IBM, MicrosoftAdobe and Xerox as customers. On Sourceforge gSOAP was downloaded 30,000 times in 2017 alone. In part, that’s because of the number and variety of platforms that gSOAP runs on. The Genivia website notes that gSOAP runs on Windows 32 and 64 bit systems all the way back to Windows XP as well as many versions of Linux, Unix, Solaris and mobile– and embedded operating systems like iOS, Raspberry Pi and others.

The Devil’s Ivy flaw was discovered in security cameras made by Axis Communications, but affect a much wider population of devices. (Image courtesy of Senrio.)

But gSOAP is open source code, making it difficult to know exactly where the code is being used. “The proliferation of the code is beyond the control of the (source code) maintainer,” Harel said. The widespread use gSOAP within Internet of Things devices will further complicate efforts to fix the problem, he said. “Nobody think about security on these devices,” he said. The absence of automatic updating and patching for devices like IP enabled cameras mean that vulnerabilities linger long after software patches become available.

Others disagree that Devil’s Ivy will fuel an outbreak like WannaCry or Petya. Though widespread, the gSOAP vulnerability at the heart of Devil’s Ivy is no Eternal Blue, said Andrew Howard, the Chief Technology Officer at the firm Kudelski Security. For one thing: attacks that exploit Devil’s Ivy vary from device to device, depending on how the gSOAP library is used. That makes any malicious program that would use it more limited. That’s different from, say, the Mirai botnet, which spread mostly by taking advantage of default or weak administrator credentials on deployed devices. Also, the company that maintains gSOAP released a patch for the library alongside news of the vulnerability.

“This vulnerability requires significant configuration of each device,” Howard said. And, while many devices that use gSOAP are accessible from the public Internet, many more impacted cameras have either been patched or tucked behind firewalls since word of the flaw began circulating in the media.”When this vulnerability was announced, we saw many of our clients rush to evaluate and mitigate their exposure. For many, simply re-evaluating the public-Internet exposure of their cameras was sufficient to mitigate this attack,” he said. In the end, that combination of factors added up to a softer blow from Devil’s Ivy than previous open source holes such as Heartbleed or exploits like Eternal Blue.

Still: security experts say agree that it is too early to celebrate. Web service libraries like gSOAP are major targets for potential attackers, especially those connected to less-secure Internet of Things devices, said Howard of Kudelski Security. “You can expect to see more vulnerabilities announced against these widely used core libraries as IoT proliferates,” he said.

“It’s not the last time we’ll see Devil’s Ivy,” said Karel of Karamba Security. “This is a problem that will repeat itself time and again.”

Security Ledger wants to hear your thoughts! Leave a reply.