Nmedia - Fotolia

Devil's Ivy vulnerability: How does it put IoT devices at risk?

A gSOAP flaw was found in an Axis Communications security camera and branded the Devil's Ivy vulnerability. Learn how it threatens IoT devices with expert Nick Lewis.

Researchers at Senrio discovered tens of millions of internet of things devices affected by the Devil's Ivy vulnerability, which enables attackers to gain remote access to devices, or even crash them. Among the affected devices are security cameras from Axis Communications and other companies on the ONVIF Forum. What is the Devil's Ivy vulnerability and how does it work?

Branded vulnerabilities have long since jumped the shark. While it is extraordinarily boring to use a name like CVE-2017-9765, it is also extremely efficient and enables enterprises to track the vulnerability across their entire enterprise.

Some vendors may not use the branded name, or they may decide to name the vulnerability something different -- much like antimalware vendors use different names for the same malware, or even multiple names for the same groups of attackers.

Tracking a vulnerability across an enterprise is the key to an effective vulnerability management program.

Tracking a vulnerability across an enterprise is the key to an effective vulnerability management program. Given how easy it appears to be to find vulnerabilities in internet of things (IoT) devices and the rapid growth of threats that exploit them, being able to effectively manage vulnerabilities is critical.

Senrio identified a stack buffer overflow vulnerability it named Devil's Ivy in an IoT security camera from Axis Communications. Axis further found the vulnerability in a third developer toolkit called gSOAP, which is widely used in IoT devices. The vulnerability in gSOAP enables an attacker to remotely access a system and potentially deny access to users.

Senrio researchers used the development environment Axis left on the device to investigate the gSOAP vulnerability so they could use the developer environment to monitor the device and to identify what caused the service to crash. After their investigation, they identified an open port that accepted connections and sent malicious data to the gSOAP listening port. This enabled them to execute shell code on the target system that further enabled them to exploit the Devil's Ivy vulnerability to take over the system.

Any system using the unpatched version of gSOAP is vulnerable and could potentially be exploited in this way.

Enterprises should ensure that any device they procure or use can be patched. Likewise, for high-value systems, they may want to perform a risk or security assessment on devices to determine if they meet security requirements.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing