The Social security experts of the company Senrio were in the process of auditing the Axis brand IP cameras when they stumbled across a flaw in the gSOAP communication layer. For those who do not know, gSOAP is an open source tool used to develop webservices.
This cool flaw called Devil's Ivy (CVE-2017-9765) allows an attacker to execute remote code on servers. However, clients can also be affected if they receive SOAP messages from Vérolés servers. If we stay on the example of Axis cameras, it is possible to access a private video stream, or even prevent the camera owner from accessing the feed.
gSOAP has been downloaded over a million times by developers worldwide and is widely used in many projects, including in large boxes like Microsoft, IBM or Adobe. This means that many other software or connected objects using gSOAP can also be affected by Devil's ivy.
Here is a video demonstration of exploitation of this flaw on a camera Axis M3004:
Senrio made the following recommendations to protect themselves:
- Do not make available its connected objects, its alarms, security cameras and company on the net. On the first of July, Shodan reported more than 14 700 fallible axis dome cameras accessible from anywhere on the planet.
- Install firewall-like protection systems in front of your connected objects or use at least NAT to reduce exposure and improve the detection of any attacks that will patch your devices as soon as the builders come out of the updates.
This last tip is fun, we see what happened with EternalBlue... So I imagine that we will hear again from Devil's Ivy, or whatever his next names in future close (a few months)?
Source
Did you like this article ? Then share it with your friends by clicking on the buttons below:
No comments: