SoylentNews

Fnord666 [soylentnews.org] writes:

A vulnerability codenamed Devil's Ivy is putting thousands of Internet-connected devices at risk of hacking.

Discovered by security researchers from Senrio, the flaw affects gSOAP [genivia.com], a C/C++ library widely used in the development of firmware for embedded devices.

gSOAP is a dual licensed (free and commercial) product developed by Genivia, who on its website says the library will help companies in the "development of [...] products [that] meet the latest industry standards for XML, XML Web services, WSDL and SOAP, REST, JSON, WS-Security, WS-Trust with SAML, WS-ReliableMessaging, WS-Discovery, TR-069, ONVIF, AWS, WCF, and more."

Senrio researchers initially discovered the vulnerability while analyzing the firmware of the Axis M3004 security camera.

After contacting the camera vendor with their findings, Axis told Senrio that the Devil's Ivy vulnerability affects 249 of 252 security camera models the company makes, which use firmware that includes the gSOAP toolkit.

The vulnerability is a simple buffer overflow, but Senrio researchers have managed to use it to execute code on the Axis security camera

[...] The problem is that gSOAP is very popular among many IoT and networking equipment vendors. On their website, Genivia claims the library was downloaded over one million times.

[...] A technical report detailing the vulnerability is available here [blog.senr.io]. Devil's Ivy is tracked as CVE-2017-9765.

Source: BleepingComputer [bleepingcomputer.com]

Additional Coverage at:

• Wired [wired.com]
• Krebs on Security [krebsonsecurity.com]

Advisory [genivia.com] from Genevia.

Original Submission