ONVIF Exposure To "Devastating DDoS Attacks" Examined

By Ethan Ace and John Scanlan, Published Sep 06, 2019, 09:12am EDT

ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices.

soap ONVIF issue_2

And after an IPVM discussion asking about ONVIF being 'dangerous', Verkada launched a Facebook ad declaring that:

IPVM investigated the vulnerability, speaking with the researcher, examining:

  • What the risks are and how severe it is for ONVIF devices
  • How the vulnerability works and what conditions must be met
  • ONVIF response to vulnerability
  • Input from the researcher
  • Potential for abuse
  • Mitigation steps

Executive *******

*** **** ** ********** ONVIF ***** ** ********* low ** ** ******** a *********** ** ******** errors: (*) * ******, non-standard, **-********* ************** **** (2) ******* * ***-********, uncommon **** ** *** public ********.

** *** ***** ****, devices **** **** **** conditions ** ********* * threat ** ***** *********** used ** **** *******.

No ******* ** ****** ** ******

** ******** ***** ***** not ** **** ** take ******* ** *** device, **** *****, ****** to *****, ***., **** if * ****** ***** both **********.

Faulty **-********* ******** *** *******

** ***** ** ** vulnerable ** **** *******, cameras **** *** * faulty **-********* ************** ***** allows ********* ** ** sent **** *** ********.********* ** **-*********'* **************, ** **** ********* and ************* ** ******** **** the ********:

************, ***** ** ***** disabled ** ******* ** current *******, ********* ****, Dahua, *** *********, ** it **** ** ******** enabled ** ***** *** WS-Discovery ** *** **** locally.

Uncommon **** **** ** **** (***/****)

******, ******* **** ********-****-********** (**** ********, *** not ***********, **** ** ONVIF) *** *** **** 3702 **** ** *** internet (** ******** ****).

*** **** **** **** allow ******** ******* **** the ******** ** **** attackers *** **** **-********* requests. **** ***** **** port **** **** ** forwarded ********, ********* ****, ** ** ******** connected ** *** ******** without * ******** ******** ports (*.*., ******** ********* to * *****).

**** **** ** ********,*** * ****** ****, *** ******** ** be ******** ********* ** anyone ***** **** ****** users. ****** ***** ** or *** ***** *** commonly ******** *** ****** access ** ******* *** open ** *******/*********, **** is ************* ****** ******** to ** ****.

UPnP ********* ******** ** *******

************,***** ** *** *******, **** ************* ******* UPnP ** *******. *******, it ** ******** **** older ********* *** **** enabled **** *** ****** port ****.

Low **** / *********** ** **** ******* ********

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

ONVIF ********

**** ******* ***** *** more *********** ** **** exploit. ***** ******** *****, in *****, **** ** contact ************* *** ********* guides:

***** ******** ********** *** selects ********* **** ******* integration *** ********** ** physical ******** *******. **** manufacturer **** **** ******** hardening *** ******* ********** to ***** ***** ******** to ** **** ** a ****** ****** ** various ******* ************. ** a ******* **** ***** profiles **** ******** *** use ** ******** ******** where ********** ******** ******** were ** ***** ** help ***** (******* ****’* and *********) ** ******* eliminate (******* *******) ****** to *** ********* **** an ******* ******. ** users ******* ********** ********** ******* **** *********** about *** ** ******** harden ***** ******** *** deployment, **** ****** ******* the ****** ************.

Axis ********

**** ********* **** **** were ********** ***** *** analysis *** ******:

** *********** **** ** is ******** ** **** the ********* **** ****** using ******* **-********* *******. This ** ******** ** the **-********* ******. ***** did *** ****** **, ONVIF **** ********* ** use **-********* ** ******** deployment.

*** ****** ** ******* devices *** *** ********** of **** ****** *** always ** **********. ** the ****** *** ******* it ** ********** - not **** *** ****. We *** ******* ******** to ****** *** ****** of ********-****** ******* ********* hardening ***** *** ****** Remote ***** ****** (**** Companion). ** ******** ********** customers *** ******** ******** devices ** ********.

Manufacturers ********

********* ** ****** *******, the ********** ****** ** the ***** *******, **** percentages ** *** ******** exposed ******* ** *** found *** **** **** and *****. *** *** searches ******* **** ****** 100,000 ***** ******* ******* to ******** *** **** UDP **** ****. *******, we ***** *** **** such ******* ** **** devices *******. ** **** not ********* ***** ******* are ********** ** ********** to ****** **-********* ********, but ******* *** ****** multiple ******* ***** ** these ******** *** *********.

*******, ** *** *******, current ***** ****** ** not **** *** ******* by *******, *** ** they **** **** ***** enabled.

Exploit ********

****** ***** ******** ** this ******* **** ********* ~350 ****, *** **** recently, ******* ** ***+ Gbps **** ****. *** reference, *** **** ** approaching *** ********* ** the **** ********* **** ***** ** Security (*** ****)*** ***** ** **** that ***** **** ********** ** **** (*.* Tbps), *** ******* **** ever ********.

** *** **** ** writing, ***** **** ***,*** public ****** ******* **** UDP **** **** **** responding ** "*****" *******, shown *****:

*** **********, *******, **** us **** **** ** these ****** ********* ********* to **-********* ******* ****. He **** **** **** sending * ***** ******* often ****** * **** larger ********, **** ************* of **** ********.

Potential ******

****** ******* ************* *** unlikely ** ** ********* using **** *************, ~***,*** rogue ******* **** *********** potential *** ******. *** example, *** ***** ******, which ********** ******** ~***,*** devices ** *******, *** used ****** **** * *******'* internet,******* ******, *** ****.

**********

*** ********** *****, ***** are *** ***** ***** which *** ** ***** to ****** **** *** not ********** ** **** exploit:

  • ******* ****:******** **** ************* ******* UPnP ** *******, ** may **** **** ******* by ******* ** *** older ********.
  • ****** **** **** ** closed:***** ****** **** **** sure **** *** **** 3702 ** ****** ** their ****** ** ******** and *** ***** ******** traffic ** **** **** to *** ********.

*** ***** *** *** unaware ** *** ******* enough ** **** ***** changes, ********** *** ********* impact ** ***** ******* will ****** **** ** ISPs, ** **** *** choose ** ***** ** rate ***** ***** ********.

Comments (24)

* ***** **** "*** risk" ******* *** **** that **** **** ***** 627 ******** ******* ** the ******** ***** ****, over *** ******** **** report ********** ** ***** device.

* ****** *** ******** to ** ******* ******** exposed ** *** ********, but **** ****** ** simple ** *****. ** the ****** **** ******** to ******** ** *** multicast *******, **** **** makes ** **** ****** for *** ******** ** send *** *******.

Agree
Disagree: 4
Informative
Unhelpful
Funny

* ***** **** "*** risk" ******* *** ****

*** **** ** ****** who **** ***** *******. The ********** **** ***'* ONVIF ****** ** **** of **** **** ** extremely *** ******* ** this ****** ******** ************.

**'* ********* * ****** risk ** ******* **** might ** *** ***** these *******.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

* ***** *** ***** not **** ** *** it ** *** **** because ** ******* ********** requirements *** ****** ** the ****** ******; *** vulnerability ** ***** *** exploitable. **** ********** ****** having ***** ***** ****, and **** *** ******* networking ********* ** *****, the ****** **** ** a ****** ****** ***** discoverable ****** ***** **** in * ****** ** extremely ****.

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted. ** ***** ** akin ** *** ******** about * ******* ************* update ******* *** **** have * * ** 10000 ****** ** *** specific ******* ***** **** to ****** **** ********. You ***** **** ** take ** ********* *** update.

**** ** **** ******* version ** *** *** amplification ******. *** ***** everyone ****** ** *** a ****** ********, ***** people ********** **** *** could ***** *** *** server ** ****** * target.

Agree
Disagree
Informative
Unhelpful
Funny

*** ****** **** ** a ****** ****** ***** discoverable ******”

*** *** *** ********** of * ******** ****** ONVIF ****** ** *** specific **** ******, **** no ************ ********** ** use, ** **** ***.

Agree: 4
Disagree
Informative
Unhelpful
Funny

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted.

**, **’* **** ***** human ***** **** ***** day. ***** *** * vast ***** ** ***** every **** *** **** out *** **** *** most *** *** *** you *** ****** ******.

** **** ****, ** is ***** ** *** what *** *** ******** to *** ******** *** in *** *************** **** case **** ** ****, close **.

Agree: 3
Disagree
Informative
Unhelpful
Funny

********** ** **** ********** risk ** ****, ** is ***** * ****** concern, *** ******* **** a ******** ******* ** their ******* ***** ** make **** *** **** is *****. *** ****** surface ** ***** ****** with ****** ************* ** warrant * ****** **** assessment.

Agree
Disagree: 3
Informative
Unhelpful
Funny

******** * *** *** the ***** ** ***** this ***, ***** ** was ********* ** * previous ******, * ******** this ******** ** ****** ***** *********?******:

Why **** ******* (** *** ******) **** ~**% ** *** ******* *******?

*** *** *****'* ****** but ** (*** *** original ******) ***** **** is ******* ****** ** try *** **** *** why **** **?

Agree
Disagree
Informative
Unhelpful
Funny

*** *** *** ******** that **% ******? ********* to ******, *** ***** results *** ***** (******** for **** ****) ** 181,542. *** ***** *** Vietnam ** **,***. ****'* 17%.

*** *** ***** ******* from ********* ****?

**** ** ** ** 17%, ******, * ** still **** ** *** that ******* *** *** largest **********.

Agree
Disagree
Informative
Unhelpful
Funny

* **** *** ******* from *** ******* ****** towards *** *** ** the **:

*** * **** * calculator ** *** *** figure ** **.************** ([***,*** x ***] /***,***) - and *********** **** ** ~80%.

Agree
Disagree
Informative
Unhelpful
Funny

*** ******* **** ******** from**********.

Agree
Disagree
Informative
Unhelpful
Funny

*** ****** ** *** left ** *** ******* is *** *** ****** of ******* ** **** country, ** ** *** column ** *** *****:

Agree: 1
Disagree
Informative
Unhelpful
Funny

***.

**** **** *** ******* column **** ** ******** represent ** *** ******* column ***** ********* ********** exposed ******* ** **** country?

Agree
Disagree
Informative
Unhelpful
Funny

******* ******** **** **** open **** *** *********.

** ***,*** ** *** devices **** **** **** open **** ***** *******, based ** *** ****** returned.

Agree
Disagree
Informative
Unhelpful
Funny

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

Agree
Disagree
Informative
Unhelpful
Funny

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

******* *** *** ********* are *** *****, *** most, ** *** ***, products ***, **** *** in ********** *****.

****, *** *** **** the **** ** *** graphic, ******** **** *** line *** *****?

Agree
Disagree
Informative
Unhelpful
Funny

**** *** *** ***** devices. * ** *** sure **** ********** ** query/response ** *** *********** to ******** **** **** different ******** *** **** are *** ***** ******* with **** **** ****.

**** ** ** ******* of ** ***** ****** when * ** ** the *** *********:

"******* **** ******" **** I ****** ** *** interface:

*** **** ** **** of *** ***** ******* categories. * ** ******** they ****** ** ***** identifier *********** ******* *** product ********** *** **** emailed **** *** **** detailed *******.

Agree
Disagree
Informative
Unhelpful
Funny

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

*** **** *** *** true ** ** ***** 600,000 *****, *****?

Agree
Disagree
Informative
Unhelpful
Funny

*** ******** ******** ******* figured *** *** *** largest ********** ** ***** at **** ******* *** in *******?

********, ******* *** **** than * ********* ** the ******* ** *** U.S. *** ***** ******* 3702, *** **** ** has******** *** *.*.?

***, **’* *** ******** to ** ******. ******** this *** **** *** in ********* *** *** an ******* ****** **** is.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

***** *****'* *** ********* popular ********** *** *****'* know **** ****'** *****? Maybe **** *** * shortage ** ******* *** ended ** ********** * lot ** ******* ******** to *** ********?

* ****** ** *** can ********* ****** *** effects ** * **** by ******** *******.

Agree
Disagree
Informative
Unhelpful
Funny: 1

******* ***** ********* **** cameras, *** *******, ***. Maybe ***** *** *** devices **** *** ***** that ****. ***** ** has ******* ** ** with *****, ****** ** uses **** **** *** reports ****. ***** ***** are ***** **** ******* all **** *** ***** that *** *** ******* in ***** ******* ** the **, ***... *** knows....

Agree
Disagree
Informative
Unhelpful
Funny

"*** *****...."

***, *** **** ** a ****** ******** **********, no?

*** *** *** ********* data **** ******** ** all ** *** **** itself ** ************ ***** on *********** *********?

Agree
Disagree
Informative
Unhelpful
Funny

****'* **** *** ******* to **** ***** ***** dangerous ******* ** *********** to *** *** ****** feature *** ****.

***, *** *** **** IP(ping ** ***** ******!) is ********* ** ****. DNS *** **** *** can ***** *** ** used *** ****. ** here ** **, ***'* stop ***** *** *** use *********** *** **********.

Agree: 3
Disagree
Informative
Unhelpful
Funny

** ******* ****** **** their *******, *** ***** servers, *** *** ********** to *** **** ** DDoS ******?

** **, *** **** if **** **** ** I ****** ****.

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny: 7

******:**** ****** * ******** advisory ** ****, ******* ********* *****:

***** **** **** *** impact ** *******, **** acknowledged **** **** *** susceptible:

*** **** ******* **** supports ***** *** *********** to *** ********* ******. WS ********* ** ******* by ******* ********** ** ONVIF *** ** **** or ***.

*** **** **** *** evaluating ****** ******** ******* for ****:

**** ** ************* ********* WS ********* ******** ** reduce **** ** **** 3702 ** *******. ** adjustments **** ** ****, they **** ** ********* in * ****** ********* firmware *******.

** **** ****** ** they ** ****.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,101 reports and 941 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports