ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered (Devil's Ivy)

By IPVM Team, Published Jul 10, 2017, 08:49am EDT

A vulnerability has been discovered in a toolkit that video surveillance manufacturers widely use for implementing ONVIF.

In this report, we examine what this vulnerability is, how it works, who is impacted, and what to do.

SOAP ******* *************

*** ************* ****** ** a*******'* ***** *******, ***** *********** ******** HTTP ****. **** ***** surveillance ************* ************ ***** use ***** ** ***** requires****.

******* *** ************ *** vulnerability** ******** *.* ** 2.8.47, ******:

******** *** ****** ***** release *.*.** ** ******* to *** * ********* vulnerability **** *** ** exposed **** ***** *** specific *** ******** **** 2 ** ** ****.

**** ****** ******** *** be **** ** ***** various ******* ** *** device ******, ********* ******* root ******.

*** ** *** **** this ******* (** ******** of **) ** ******** within ****** ********, ***** generally **** ** **** way ** **** ** the ******** ** ***** device ** ******** ******* a ************ ************.

Vulnerability **********

[****** */**/****] ****** ******** their ******** **** *************, including ****** ** "*****'* Ivy" *** ********* ********:*****'* ***: **** ** Widely **** *****-***** **** Impacts ********.

Widely **** ** *************

*******'* ***** ******* ** widely **** *** ***** implementations ***** *************, ********* to ************* **** ***** with. *** ******* **** could ** **** *** non-ONVIF ********, **** ** to ****** * ******* camera ******/************* ***.

Blocking ***** *******

***** *** ************* ******* on ********* ***** ***** (e.g., ***) ** ******* the ****** ********, ** a ************ ********* **** uploads, **** ** **** use *** ******** ***** versions, **** ***** ** protected. **** ** ********, but *** ****** ****, based ** *** *** server **** *** ****** uses.

Manufacturer ********* ** ************* *********

**** ***** * ****** of ******** ************* ***** this *************. ***** ********* are *****:

  • *******: **, **** *** use ***** *******.
  • ********: ***,******** ******** ******, *** ******* ********/***
  • ****: ***,******** * ******** ******, *** ******* ********.
  • *****: **, **** *** use ***** *******
  • *****: ************
  • *****: ***, *** **** of ******* *********, *** ETA: ********* ****
  • *******: **, **** *** use ***** *******.
  • ******: **, **** *****, but ****** ** ******* XML **** *******.****** ********* ** ***** vulnerability.
  • *********: **, **** *** use *****.
  • *********: ***, ******* *** in **** *******. ********* following ***** ** ************ ********* ******* ****** *****.
  • *********: **, **** *** use ***** *******.
  • *****: **, **** *****, but ***** ** ****** XML **** *******.

*** ************* ********, ***** should ***** ******** ** support/firmware ******* *** ***** manufacturers, ** ** ** possible *** *** ******** are ********, ** **** patched ******** ** *** yet *********.

**** ***** ** ****** this **** ********* ** we *******.

100s ** ************* *******

***** **** *** ******* out ** * ****** of *** ****** *************, hundreds ** ********* / manufacturers *** ***** (***+ ONVIF ******* *** *,***+ ONVIF ******* * ******** as ** **** ***********). We ******* **** ** them *** ********.

ONVIF ************ ** *****

****** *** ***** ******* is ***** **** ** implement ***** ************* ** devices, *** ************* ** related ** *** *******, not ***** ************. ** is **** ******** *** manufacturers ** ********* **** ONVIF *********** ******* ***** this *******. *** ***** reasons, * ******'* ***** profile ******* ** *********** listing *** *** ** used ** **** *** indication ** **** *** this *************.

ONVIF ***** *** ********* ** *******

***** **** *** ********* comment ** **** ********* gSOAP *** **** *************:

***** ** *** **** of *** ***** **************, but ** **** ** the **** *** *** ONVIF ***, ** ** possible **** ***** ***** members ***** ** ********. ONVIF, *********, ****** ** send *** * ********* to *** ******* ** make **** ***** ** the *************.

No ***** ** ******** ********

****** *** *** ******** any ***** ** ******* code *** *** *******, making ** ****** ******** to ** **** ** any *****-**** *******, *** more ** * *********** risk. ******* *** **** not ******** *** ********* of ***** ***** ********, in ***** ** **** it **** ********* *** potential ********* ** ********** exactly *** *** ******* could ** ******* ***.

Low **** ** *******

*** ****** ** ****** overflow ******* ***** **** somewhat ****** ********, *** can ******* ***** *** error, ** **** ********* of *** ****** ******, to **** * ********** attack **** ******* **** or ******** **** ******. Because ** ****, *** the **** **** *** details ** *** ******** XML ********** ******** *** an ******* *** ***** released ** **** ** hard *** **** ************* will ** *** ** real ***.

Mitigating ****

******* ** **** ***** cyber ******** *************** ** network *******, *********** ******* access ** *** **** will ******* ****** *** chance ** *******. ******* utilizing * *** ** recorder *** ****** ******, instead ** ***** ******** connected ** *** ********, are *********** ****** **** remote ****** (****** ** is ******** *** *** VMS ****** ** **** vulnerabilities). ************, ********* ******** to ************-*********** ********, ** they ****** *********, **** eliminate **** ******** *************.

Comments (23)

nice tight informative to the practioner reporting.  these are the articles that make subscribing more than worth it.

UPDATE - we received a response from Hikvision that they do not use the gSOAP toolkit, and updated the report accordingly.

 

...users generally have no easy way to tell if the firmware in their device is affected without a manufacturer confirmation.

Perhaps a test can be fashioned, based on some unrelated behavior, like was done with the Heartbleed bug.

However, given what is already known, and the fact that the toolkit developer has released a patch, the formal release will likely not provide any significant new information.

Why not?  Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

Why not? Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

 
I do not believe any sample code/"close to working" exploits are going to be released as part of Senrio's formal publication.
 

I am reaching out to them directly, but does anyone know if Tyco/ American Dynamics is affected by this?

Scott -

I did reach out to a contact at Tyco to ask about their product lines but have not heard back yet. If you hear anything let us know and I will update this report with their feedback.

 

Thabk you for the alert!

Small thing but moving ONVIF between Used and Toolkit helps my brain comprehend that title. Otherwise, great information.

Orlando, thanks for the feedback on the title. We struggled with the proper phrasing. For example, your recommendation would be 'Widely Used ONVIF Toolkit Vulnerability Discovered'. That would flow better generally but be technically incorrect because it's not an ONVIF toolkit, neither by gSOAP's design or by ONVIF's design. It just happens to be a toolkit that has been widely used by companies implementing ONVIF since ONVIF requires SOAP and gSOAP is a toolkit for implementing SOAP support.

Makes sense. 

Thank you Brian for this great information. Just one thing, it is "Genivia" not Genevia. It might be confusing for some users when they search on google. 

Thanks, I corrected the mentions of Genivia in the report.

UPDATE: Avigilon released a notice on the gSOAP vulnerability, confirming they were affected. They have also released updated firmware/VMS software.

More vendors who use gSOAP should "come clean".

UPDATE

Senrio released their report on this exploit, naming it "Devil's Ivy":

Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions

Here's the associated link to the technical details of the working exploit.

I'm not sure why given this exploit, a generic checker couldn't be fashioned, but my guess is that the exploit code must be specifically written for each firmware version...

Axis made this vulnerability the top item in their July newsletter:

I am the product manager for exacqVision. 

exacqVision uses an affected version of gSOAP as a client device. That is, exacqVision is not listening but rather makes SOAP requests from dynamically assigned ports that close after the response is received from the server (cameras in most cases). To be exploited, exacqVision would have to make a request to a malicious server/camera on the local network that would reply with the payload.

Although exploitation is improbable, exacqVision will receive an update to patch the vulnerability in the September release.

Ryan -

Thanks for the additional info, I will add a line for exacq into the report.

UPDATE - We received a statement from Bosch that they use their own software for handling SOAP/XML parsing and are not vulnerable to this. 

UPDATE - We already had Hanwha listed as not impacted, but have added a link to Hanwha's update stating they are not affected.

 

http://www.tycosecurityproducts.com/cyberprotection.aspx

 

Johnson Controls

6 Technology Park Drive

Westford, MA 01886-3140

Tele: 978 577 4000

18-July-2017 CPP-PSA-2017-02 v2

PRODUCT SECURITY ADVISORY

gSOAP – DEVIL’S IVY

(CVE-2017-9765)

On July 18th Senrio published details regarding a buffer overflow vulnerability in the gSOAP library. gSOAP is used to parse XML requests and is commonly used in physical security products where ONVIF and WS-Discovery are employed.

Exploitation of the vulnerability requires a large (>2Gb) request to be sent to a vulnerable device. If successful, the service or device may stop operating. With some effort and detailed information for a specific device, it may be possible to create a custom exploit to allow an attacker access to the underlying operating system. For more information and technical breakdown, see Senrio’s blog posts (links below).

The most vulnerable devices are devices acting as servers that must be able to receive SOAP requests. This includes cameras that use ONVIF and WS-discovery for device discovery and other functions.

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

VideoEdge NVR and Exacq NVRs use an affected version of gSOAP as a client device to discover and manage cameras. Verified through testing by our Cyber Protection engineers, these devices make SOAP requests from dynamically assigned ports that close after the response is received from the server.

Although exploitation may not be possible, in accordance with their patch policies, both products will receive an update to correct the vulnerability in the next regular update to the product.

The CEM Systems S3040 portable reader and the Portable Sub-System software used on the CEM Systems AC2000 CDC servers to service these readers uses an affected version of gSOAP. A patch that resolves this vulnerability in AC2000 versions 6.6 to version 8.0 will soon be available. CEM Systems is still investigating the full impact of the vulnerability in the portable reader.

http://www.tycosecurityproducts.com/cyberprotection.aspx

 

Illustra Essentials do not use gSOAP and are not affected.

American Dynamics victor Application Server and Clients do not use gSOAP.

Software House C•CURE 9000 and iSTAR panels do not use gSOAP.

Kantech products do not use gSOAP.

As more information about the vulnerability become available, we will be updating this advisory. If you do experience any problems or have any questions, please contact your technical support team or the Cyber Protection Program at TSPCyberProtection@tycoint.com

Illustra ONVIF Ports Port

Type

Direction

Purpose

8080

TCP

Inbound

HTTP proxy for ONVIF information, WS-discovery

8081

TCP

Inbound

ONVIF media service

8082

TCP

Inbound

ONVIF ptz service

8083

TCP

Inbound

ONVIF event service

8084

TCP

Inbound

ONVIF imaging service

8085

TCP

Inbound

ONVIF device IO service

#5, thanks!

Btw, this section was interesting / confusing:

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

The net/net appears that they are not vulnerable since they do not allow 2GB uploads. If that is correct, they would have made for a simpler response to simply say they are not vulnerable?

Read this IPVM report for free.

This article is part of IPVM's 6,743 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports