By Eric Watkins, Senior Malicious Detection Researcher at zvelo
This week, a new security vulnerability subject to remote attack, known as Devil’s Ivy, is targeting the C++ library used by thousands of different IoT device vendors. The most popular devices being compromised are IoT video cameras; however, the associated risk is not limited to video cameras alone. IoT vendors often use chipsets from 3rd party OEMs as a means to quickly and easily integrate new features features and additional functionality. A consequence of the practice of using a vulnerable 3rd party chipset, makes it possible for unauthenticated attackers to crash the device and/or execute arbitrary code on the product.
Devil’s Ivy takes the form of a simple buffer overflow, however the prevalence of the gSOAP library (used to create the IoT device firmware) means that impact of Devil’s Ivy will need to be assessed on several different vendors before it can be fully resolved. AXIS, the largest video camera manufacturer whose devices are being targeted has declared Devil’s Ivy as a “critical vulnerability” that impacts almost all of their products.
Learn more about Devil’s Ivy from the Common Vulnerabilities and Exposures website (CVE) – The Standard for Information Security Vulnerability Names by reading CVE-2017-9765.
The AXIS Security Advisoryannouncement is another valuable resource for discovering more information about Devil’s Ivy.
Taking the actions of a responsible Iot Device manufacturer, Axis has been quick to respond by already issuing firmware updates for some of its internet-connected devices potentially impacted by Devil’s Ivy.
If you have any ethernet enabled video cameras, we highly suggest that you research your product online to find out if the vendor has released a security patch for Devil’s Ivy.