ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered (Devil's Ivy)

nice tight informative to the practioner reporting.  these are the articles that make subscribing more than worth it.

UPDATE - we received a response from Hikvision that they do not use the gSOAP toolkit, and updated the report accordingly.

...users generally have no easy way to tell if the firmware in their device is affected without a manufacturer confirmation.

Perhaps a test can be fashioned, based on some unrelated behavior, like was done with the Heartbleed bug.

However, given what is already known, and the fact that the toolkit developer has released a patch, the formal release will likely not provide any significant new information.

Why not?  Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

I am reaching out to them directly, but does anyone know if Tyco/ American Dynamics is affected by this?

Thabk you for the alert!

Small thing but moving ONVIF between Used and Toolkit helps my brain comprehend that title. Otherwise, great information.

Thank you Brian for this great information. Just one thing, it is "Genivia" not Genevia. It might be confusing for some users when they search on google. 

UPDATE: Avigilon released a notice on the gSOAP vulnerability, confirming they were affected. They have also released updated firmware/VMS software.

UPDATE

Senrio released their report on this exploit, naming it "Devil's Ivy":

Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions

Axis made this vulnerability the top item in their July newsletter:

I am the product manager for exacqVision. 

exacqVision uses an affected version of gSOAP as a client device. That is, exacqVision is not listening but rather makes SOAP requests from dynamically assigned ports that close after the response is received from the server (cameras in most cases). To be exploited, exacqVision would have to make a request to a malicious server/camera on the local network that would reply with the payload.

Although exploitation is improbable, exacqVision will receive an update to patch the vulnerability in the September release.

UPDATE - We received a statement from Bosch that they use their own software for handling SOAP/XML parsing and are not vulnerable to this. 

UPDATE - We already had Hanwha listed as not impacted, but have added a link to Hanwha's update stating they are not affected.

http://www.tycosecurityproducts.com/cyberprotection.aspx

Johnson Controls

6 Technology Park Drive

Westford, MA 01886-3140

Tele: 978 577 4000

18-July-2017 CPP-PSA-2017-02 v2

PRODUCT SECURITY ADVISORY

gSOAP – DEVIL’S IVY

(CVE-2017-9765)

On July 18th Senrio published details regarding a buffer overflow vulnerability in the gSOAP library. gSOAP is used to parse XML requests and is commonly used in physical security products where ONVIF and WS-Discovery are employed.

Exploitation of the vulnerability requires a large (>2Gb) request to be sent to a vulnerable device. If successful, the service or device may stop operating. With some effort and detailed information for a specific device, it may be possible to create a custom exploit to allow an attacker access to the underlying operating system. For more information and technical breakdown, see Senrio’s blog posts (links below).

The most vulnerable devices are devices acting as servers that must be able to receive SOAP requests. This includes cameras that use ONVIF and WS-discovery for device discovery and other functions.

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

VideoEdge NVR and Exacq NVRs use an affected version of gSOAP as a client device to discover and manage cameras. Verified through testing by our Cyber Protection engineers, these devices make SOAP requests from dynamically assigned ports that close after the response is received from the server.

Although exploitation may not be possible, in accordance with their patch policies, both products will receive an update to correct the vulnerability in the next regular update to the product.

The CEM Systems S3040 portable reader and the Portable Sub-System software used on the CEM Systems AC2000 CDC servers to service these readers uses an affected version of gSOAP. A patch that resolves this vulnerability in AC2000 versions 6.6 to version 8.0 will soon be available. CEM Systems is still investigating the full impact of the vulnerability in the portable reader.

http://www.tycosecurityproducts.com/cyberprotection.aspx

Illustra Essentials do not use gSOAP and are not affected.

American Dynamics victor Application Server and Clients do not use gSOAP.

Software House C•CURE 9000 and iSTAR panels do not use gSOAP.

Kantech products do not use gSOAP.

As more information about the vulnerability become available, we will be updating this advisory. If you do experience any problems or have any questions, please contact your technical support team or the Cyber Protection Program at TSPCyberProtection@tycoint.com