ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered (Devil's Ivy)

By: IPVM Team, Published on Jul 10, 2017

A vulnerability has been discovered in a toolkit that video surveillance manufacturers widely use for implementing ONVIF.

In this report, we examine what this vulnerability is, how it works, who is impacted, and what to do.

SOAP ******* *************

*** ************* ****** ** a*******'* ***** *******, ***** *********** ******** HTTP ****. **** ***** surveillance ************* ************ ***** use ***** ** ***** requires****.

******* *** ************ *** vulnerability** ******** *.* ** 2.8.47, ******:

******** *** ****** ***** release *.*.** ** ******* to *** * ********* vulnerability **** *** ** exposed **** ***** *** specific *** ******** **** 2 ** ** ****.

**** ****** ******** *** be **** ** ***** various ******* ** *** device ******, ********* ******* root ******.

*** ** *** **** this ******* (** ******** of **) ** ******** within ****** ********, ***** generally **** ** **** way ** **** ** the ******** ** ***** device ** ******** ******* a ************ ************.

Vulnerability **********

[****** */**/****] ****** ******** their ******** **** *************, including ****** ** "*****'* Ivy" *** ********* ********:*****'* ***: **** ** Widely **** *****-***** **** Impacts ********.

Widely **** ** *************

*******'* ***** ******* ** widely **** *** ***** implementations ***** *************, ********* to ************* **** ***** with. *** ******* **** could ** **** *** non-ONVIF ********, **** ** to ****** * ******* camera ******/************* ***.

Blocking ***** *******

***** *** ************* ******* on ********* ***** ***** (e.g., ***) ** ******* the ****** ********, ** a ************ ********* **** uploads, **** ** **** use *** ******** ***** versions, **** ***** ** protected. **** ** ********, but *** ****** ****, based ** *** *** server **** *** ****** uses.

Manufacturer ********* ** ************* *********

**** ***** * ****** of ******** ************* ***** this *************. ***** ********* are *****:

  • *******: **, **** *** use ***** *******.
  • ********: ***,******** ******** ******, *** ******* ********/***
  • ****: ***,******** * ******** ******, *** ******* ********.
  • *****: **, **** *** use ***** *******
  • *****: ************
  • *****: ***, *** **** of ******* *********, *** ETA: ********* ****
  • *******: **, **** *** use ***** *******.
  • ******: **, **** *****, but ****** ** ******* XML **** *******.****** ********* ** ***** vulnerability.
  • *********: **, **** *** use *****.
  • *********: ***, ******* *** in **** *******. ********* following ***** ** ************ ********* ******* ****** *****.
  • *********: **, **** *** use ***** *******.
  • *****: **, **** *****, but ***** ** ****** XML **** *******.

*** ************* ********, ***** should ***** ******** ** support/firmware ******* *** ***** manufacturers, ** ** ** possible *** *** ******** are ********, ** **** patched ******** ** *** yet *********.

**** ***** ** ****** this **** ********* ** we *******.

100s ** ************* *******

***** **** *** ******* out ** * ****** of *** ****** *************, hundreds ** ********* / manufacturers *** ***** (***+ ONVIF ******* *** *,***+ ONVIF ******* * ******** as ** **** ***********). We ******* **** ** them *** ********.

ONVIF ************ ** *****

****** *** ***** ******* is ***** **** ** implement ***** ************* ** devices, *** ************* ** related ** *** *******, not ***** ************. ** is **** ******** *** manufacturers ** ********* **** ONVIF *********** ******* ***** this *******. *** ***** reasons, * ******'* ***** profile ******* ** *********** listing *** *** ** used ** **** *** indication ** **** *** this *************.

ONVIF ***** *** ********* ** *******

***** **** *** ********* comment ** **** ********* gSOAP *** **** *************:

***** ** *** **** of *** ***** **************, but ** **** ** the **** *** *** ONVIF ***, ** ** possible **** ***** ***** members ***** ** ********. ONVIF, *********, ****** ** send *** * ********* to *** ******* ** make **** ***** ** the *************.

No ***** ** ******** ********

****** *** *** ******** any ***** ** ******* code *** *** *******, making ** ****** ******** to ** **** ** any *****-**** *******, *** more ** * *********** risk. ******* *** **** not ******** *** ********* of ***** ***** ********, in ***** ** **** it **** ********* *** potential ********* ** ********** exactly *** *** ******* could ** ******* ***.

Low **** ** *******

*** ****** ** ****** overflow ******* ***** **** somewhat ****** ********, *** can ******* ***** *** error, ** **** ********* of *** ****** ******, to **** * ********** attack **** ******* **** or ******** **** ******. Because ** ****, *** the **** **** *** details ** *** ******** XML ********** ******** *** an ******* *** ***** released ** **** ** hard *** **** ************* will ** *** ** real ***.

Mitigating ****

******* ** **** ***** cyber ******** *************** ** network *******, *********** ******* access ** *** **** will ******* ****** *** chance ** *******. ******* utilizing * *** ** recorder *** ****** ******, instead ** ***** ******** connected ** *** ********, are *********** ****** **** remote ****** (****** ** is ******** *** *** VMS ****** ** **** vulnerabilities). ************, ********* ******** to ************-*********** ********, ** they ****** *********, **** eliminate **** ******** *************.

Comments (23)

nice tight informative to the practioner reporting.  these are the articles that make subscribing more than worth it.

UPDATE - we received a response from Hikvision that they do not use the gSOAP toolkit, and updated the report accordingly.

 

...users generally have no easy way to tell if the firmware in their device is affected without a manufacturer confirmation.

Perhaps a test can be fashioned, based on some unrelated behavior, like was done with the Heartbleed bug.

However, given what is already known, and the fact that the toolkit developer has released a patch, the formal release will likely not provide any significant new information.

Why not?  Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

Why not? Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

 
I do not believe any sample code/"close to working" exploits are going to be released as part of Senrio's formal publication.
 

I am reaching out to them directly, but does anyone know if Tyco/ American Dynamics is affected by this?

Scott -

I did reach out to a contact at Tyco to ask about their product lines but have not heard back yet. If you hear anything let us know and I will update this report with their feedback.

 

Thabk you for the alert!

Small thing but moving ONVIF between Used and Toolkit helps my brain comprehend that title. Otherwise, great information.

Orlando, thanks for the feedback on the title. We struggled with the proper phrasing. For example, your recommendation would be 'Widely Used ONVIF Toolkit Vulnerability Discovered'. That would flow better generally but be technically incorrect because it's not an ONVIF toolkit, neither by gSOAP's design or by ONVIF's design. It just happens to be a toolkit that has been widely used by companies implementing ONVIF since ONVIF requires SOAP and gSOAP is a toolkit for implementing SOAP support.

Makes sense. 

Thank you Brian for this great information. Just one thing, it is "Genivia" not Genevia. It might be confusing for some users when they search on google. 

Thanks, I corrected the mentions of Genivia in the report.

UPDATE: Avigilon released a notice on the gSOAP vulnerability, confirming they were affected. They have also released updated firmware/VMS software.

More vendors who use gSOAP should "come clean".

UPDATE

Senrio released their report on this exploit, naming it "Devil's Ivy":

Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions

Here's the associated link to the technical details of the working exploit.

I'm not sure why given this exploit, a generic checker couldn't be fashioned, but my guess is that the exploit code must be specifically written for each firmware version...

Axis made this vulnerability the top item in their July newsletter:

I am the product manager for exacqVision. 

exacqVision uses an affected version of gSOAP as a client device. That is, exacqVision is not listening but rather makes SOAP requests from dynamically assigned ports that close after the response is received from the server (cameras in most cases). To be exploited, exacqVision would have to make a request to a malicious server/camera on the local network that would reply with the payload.

Although exploitation is improbable, exacqVision will receive an update to patch the vulnerability in the September release.

Ryan -

Thanks for the additional info, I will add a line for exacq into the report.

UPDATE - We received a statement from Bosch that they use their own software for handling SOAP/XML parsing and are not vulnerable to this. 

UPDATE - We already had Hanwha listed as not impacted, but have added a link to Hanwha's update stating they are not affected.

 

http://www.tycosecurityproducts.com/cyberprotection.aspx

 

Johnson Controls

6 Technology Park Drive

Westford, MA 01886-3140

Tele: 978 577 4000

18-July-2017 CPP-PSA-2017-02 v2

PRODUCT SECURITY ADVISORY

gSOAP – DEVIL’S IVY

(CVE-2017-9765)

On July 18th Senrio published details regarding a buffer overflow vulnerability in the gSOAP library. gSOAP is used to parse XML requests and is commonly used in physical security products where ONVIF and WS-Discovery are employed.

Exploitation of the vulnerability requires a large (>2Gb) request to be sent to a vulnerable device. If successful, the service or device may stop operating. With some effort and detailed information for a specific device, it may be possible to create a custom exploit to allow an attacker access to the underlying operating system. For more information and technical breakdown, see Senrio’s blog posts (links below).

The most vulnerable devices are devices acting as servers that must be able to receive SOAP requests. This includes cameras that use ONVIF and WS-discovery for device discovery and other functions.

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

VideoEdge NVR and Exacq NVRs use an affected version of gSOAP as a client device to discover and manage cameras. Verified through testing by our Cyber Protection engineers, these devices make SOAP requests from dynamically assigned ports that close after the response is received from the server.

Although exploitation may not be possible, in accordance with their patch policies, both products will receive an update to correct the vulnerability in the next regular update to the product.

The CEM Systems S3040 portable reader and the Portable Sub-System software used on the CEM Systems AC2000 CDC servers to service these readers uses an affected version of gSOAP. A patch that resolves this vulnerability in AC2000 versions 6.6 to version 8.0 will soon be available. CEM Systems is still investigating the full impact of the vulnerability in the portable reader.

http://www.tycosecurityproducts.com/cyberprotection.aspx

 

Illustra Essentials do not use gSOAP and are not affected.

American Dynamics victor Application Server and Clients do not use gSOAP.

Software House C•CURE 9000 and iSTAR panels do not use gSOAP.

Kantech products do not use gSOAP.

As more information about the vulnerability become available, we will be updating this advisory. If you do experience any problems or have any questions, please contact your technical support team or the Cyber Protection Program at TSPCyberProtection@tycoint.com

Illustra ONVIF Ports Port

Type

Direction

Purpose

8080

TCP

Inbound

HTTP proxy for ONVIF information, WS-discovery

8081

TCP

Inbound

ONVIF media service

8082

TCP

Inbound

ONVIF ptz service

8083

TCP

Inbound

ONVIF event service

8084

TCP

Inbound

ONVIF imaging service

8085

TCP

Inbound

ONVIF device IO service

#5, thanks!

Btw, this section was interesting / confusing:

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

The net/net appears that they are not vulnerable since they do not allow 2GB uploads. If that is correct, they would have made for a simpler response to simply say they are not vulnerable?

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Directory of 400+ Fever Camera News Reports Globally on Jul 22, 2020
This global directory tracks 400+ articles about thermal cameras used to...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
FDA Defines Correct Operation of "Fever Cameras" on May 26, 2020
The US FDA has now defined the correct operation of "Thermal Imaging...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of...
Startup Calipsa Presents AI False Alarm Filtering on Jul 21, 2020
Calipsa presented its AI false alarm filtering platform at the 2020 IPVM...
Directory of 206 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Trueface Presents AI Face Recognition, Mask and Temperature Detection on Jun 10, 2020
Trueface presented its AI facial recognition, mask and temperature detection...
Vape Detection Legal Battle: Soter Sues IPVideo Corp on Jul 22, 2020
The crosstown vape detection rivals are now in a legal battle. While IPVideo...
JCI / Tyco Security Products Layoffs on Jun 05, 2020
Johnson Controls / Tyco Security Products has confirmed COVID-19 related...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...