SOAP ******* *************
*** ************* ****** ** ********'* ***** *******, ***** *********** ******** **** ****. Many ***** ************ ************* ************ ***** use ***** ** ***** ************.
******* *** ************ *** *************** ******** *.* ** *.*.**, ******:
******** *** ****** ***** ******* *.*.** or ******* ** *** * ********* vulnerability **** *** ** ******* **** large *** ******** *** ******** **** 2 ** ** ****.
**** ****** ******** *** ** **** to ***** ******* ******* ** *** device ******, ********* ******* **** ******.
*** ** *** **** **** ******* (or ******** ** **) ** ******** within ****** ********, ***** ********* **** no **** *** ** **** ** the ******** ** ***** ****** ** affected ******* * ************ ************.
Vulnerability **********
[****** */**/****] ****** ******** ***** ******** this *************, ********* ****** ** "*****'* Ivy" *** ********* ********:*****'* ***: **** ** ****** **** Third-party **** ******* ********.
Widely **** ** *************
*******'* ***** ******* ** ****** **** for ***** *************** ***** *************, ********* to ************* **** ***** ****. *** toolkit **** ***** ** **** *** non-ONVIF ********, **** ** ** ****** a ******* ****** ******/************* ***.
Blocking ***** *******
***** *** ************* ******* ** ********* large ***** (*.*., ***) ** ******* the ****** ********, ** * ************ restricts **** *******, **** ** **** use *** ******** ***** ********, **** would ** *********. **** ** ********, but *** ****** ****, ***** ** the *** ****** **** *** ****** uses.
Manufacturer ********* ** ************* *********
**** ***** * ****** ** ******** manufacturers ***** **** *************. ***** ********* are *****:
- *******: **, **** *** *** ***** toolkit.
- ********: ***,******** ******** ******, *** ******* ********/***
- ****: ***,******** * ******** ******, *** ******* ********.
- *****: **, **** *** *** ***** toolkit
- *****: ************
- *****: ***, *** **** ** ******* potential, *** ***: ********* ****
- *******: **, **** *** *** ***** toolkit.
- ******: **, **** *****, *** ****** or ******* *** **** *******.****** ********* ** ***** *************.
- *********: **, **** *** *** *****.
- *********: ***, ******* *** ** **** release. ********* ********* ***** ** ************ ********* ******* ****** *****.
- *********: **, **** *** *** ***** toolkit.
- *****: **, **** *****, *** ***** or ****** *** **** *******.
*** ************* ********, ***** ****** ***** directly ** *******/******** ******* *** ***** manufacturers, ** ** ** ******** *** all ******** *** ********, ** **** patched ******** ** *** *** *********.
**** ***** ** ****** **** **** responses ** ** *******.
100s ** ************* *******
***** **** *** ******* *** ** a ****** ** *** ****** *************, hundreds ** ********* / ************* *** ONVIF (***+ ***** ******* *** *,***+ ONVIF ******* * ******** ** ** this ***********). ** ******* **** ** them *** ********.
ONVIF ************ ** *****
****** *** ***** ******* ** ***** used ** ********* ***** ************* ** devices, *** ************* ** ******* ** the *******, *** ***** ************. ** is **** ******** *** ************* ** implement **** ***** *********** ******* ***** this *******. *** ***** *******, * device's ***** ******* ******* ** *********** listing *** *** ** **** ** give *** ********** ** **** *** this *************.
ONVIF ***** *** ********* ** *******
***** **** *** ********* ******* ** IPVM ********* ***** *** **** *************:
***** ** *** **** ** *** ONVIF **************, *** ** **** ** the **** *** *** ***** ***, it ** ******** **** ***** ***** members ***** ** ********. *****, *********, agreed ** **** *** * ********* to *** ******* ** **** **** aware ** *** *************.
No ***** ** ******** ********
****** *** *** ******** *** ***** of ******* **** *** *** *******, making ** ****** ******** ** ** used ** *** *****-**** *******, *** more ** * *********** ****. ******* has **** *** ******** *** ********* of ***** ***** ********, ** ***** to **** ** **** ********* *** potential ********* ** ********** ******* *** the ******* ***** ** ******* ***.
Low **** ** *******
*** ****** ** ****** ******** ******* makes **** ******** ****** ********, *** can ******* ***** *** *****, ** deep ********* ** *** ****** ******, to **** * ********** ****** **** reveals **** ** ******** **** ******. Because ** ****, *** *** **** that *** ******* ** *** ******** XML ********** ******** *** ** ******* are ***** ******** ** **** ** hard *** **** ************* **** ** put ** **** ***.
Mitigating ****
******* ** **** ***** ***** ******** vulnerabilities ** ******* *******, *********** ******* access ** *** **** **** ******* reduce *** ****** ** *******. ******* utilizing * *** ** ******** *** remote ******, ******* ** ***** ******** connected ** *** ********, *** *********** immune **** ****** ****** (****** ** is ******** *** *** *** ****** to **** ***************). ************, ********* ******** to ************-*********** ********, ** **** ****** available, **** ********* **** ******** *************.
Comments (23)
Undisclosed Integrator #1
nice tight informative to the practioner reporting. these are the articles that make subscribing more than worth it.
Create New Topic
Brian Karas
UPDATE - we received a response from Hikvision that they do not use the gSOAP toolkit, and updated the report accordingly.
Create New Topic
Undisclosed #2
Perhaps a test can be fashioned, based on some unrelated behavior, like was done with the Heartbleed bug.
Why not? Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?
Create New Topic
Brian Karas
Create New Topic
Scott Napier
I am reaching out to them directly, but does anyone know if Tyco/ American Dynamics is affected by this?
Create New Topic
John Lineweaver
Thabk you for the alert!
Create New Topic
Orlando Ayala
Small thing but moving ONVIF between Used and Toolkit helps my brain comprehend that title. Otherwise, great information.
Create New Topic
Undisclosed #4
Thank you Brian for this great information. Just one thing, it is "Genivia" not Genevia. It might be confusing for some users when they search on google.
Create New Topic
Brian Karas
UPDATE: Avigilon released a notice on the gSOAP vulnerability, confirming they were affected. They have also released updated firmware/VMS software.
Create New Topic
Brian Karas
UPDATE
Senrio released their report on this exploit, naming it "Devil's Ivy":
Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions
Create New Topic
Brian Karas
Axis made this vulnerability the top item in their July newsletter:
Create New Topic
Ryan Hulse
I am the product manager for exacqVision.
exacqVision uses an affected version of gSOAP as a client device. That is, exacqVision is not listening but rather makes SOAP requests from dynamically assigned ports that close after the response is received from the server (cameras in most cases). To be exploited, exacqVision would have to make a request to a malicious server/camera on the local network that would reply with the payload.
Although exploitation is improbable, exacqVision will receive an update to patch the vulnerability in the September release.
Create New Topic
Brian Karas
UPDATE - We received a statement from Bosch that they use their own software for handling SOAP/XML parsing and are not vulnerable to this.
Create New Topic
Brian Karas
UPDATE - We already had Hanwha listed as not impacted, but have added a link to Hanwha's update stating they are not affected.
Create New Topic
Undisclosed End User #5
http://www.tycosecurityproducts.com/cyberprotection.aspx
Johnson Controls
6 Technology Park Drive
Westford, MA 01886-3140
Tele: 978 577 4000
18-July-2017 CPP-PSA-2017-02 v2
PRODUCT SECURITY ADVISORY
gSOAP – DEVIL’S IVY
(CVE-2017-9765)
On July 18th Senrio published details regarding a buffer overflow vulnerability in the gSOAP library. gSOAP is used to parse XML requests and is commonly used in physical security products where ONVIF and WS-Discovery are employed.
Exploitation of the vulnerability requires a large (>2Gb) request to be sent to a vulnerable device. If successful, the service or device may stop operating. With some effort and detailed information for a specific device, it may be possible to create a custom exploit to allow an attacker access to the underlying operating system. For more information and technical breakdown, see Senrio’s blog posts (links below).
The most vulnerable devices are devices acting as servers that must be able to receive SOAP requests. This includes cameras that use ONVIF and WS-discovery for device discovery and other functions.
Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.
The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.
Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.
Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.
VideoEdge NVR and Exacq NVRs use an affected version of gSOAP as a client device to discover and manage cameras. Verified through testing by our Cyber Protection engineers, these devices make SOAP requests from dynamically assigned ports that close after the response is received from the server.
Although exploitation may not be possible, in accordance with their patch policies, both products will receive an update to correct the vulnerability in the next regular update to the product.
The CEM Systems S3040 portable reader and the Portable Sub-System software used on the CEM Systems AC2000 CDC servers to service these readers uses an affected version of gSOAP. A patch that resolves this vulnerability in AC2000 versions 6.6 to version 8.0 will soon be available. CEM Systems is still investigating the full impact of the vulnerability in the portable reader.
http://www.tycosecurityproducts.com/cyberprotection.aspx
Illustra Essentials do not use gSOAP and are not affected.
American Dynamics victor Application Server and Clients do not use gSOAP.
Software House C•CURE 9000 and iSTAR panels do not use gSOAP.
Kantech products do not use gSOAP.
As more information about the vulnerability become available, we will be updating this advisory. If you do experience any problems or have any questions, please contact your technical support team or the Cyber Protection Program at TSPCyberProtection@tycoint.com
Illustra ONVIF Ports Port
Type
Direction
Purpose
8080
TCP
Inbound
HTTP proxy for ONVIF information, WS-discovery
8081
TCP
Inbound
ONVIF media service
8082
TCP
Inbound
ONVIF ptz service
8083
TCP
Inbound
ONVIF event service
8084
TCP
Inbound
ONVIF imaging service
8085
TCP
Inbound
ONVIF device IO service
Create New Topic