2018-07-25
有安全公司透露,gSOAP(简单对象协议)工具包中存在被称为Devil's Ivy的零日漏洞,导致数百万使用该工具包的物联网设备(机场监控摄像头,传感器和其他连网设备)面临攻击风险,攻击者能够远程控制设备或使其崩溃。
研究人员在对Axis Communications制造的高端安全摄像头进行分析时发现了该漏洞。在251个型号的Axis摄像头中,249个型号受到了该漏洞的影响。远程攻击者可以拦截视频影像,重启设备,或者在执行犯罪活动时终止拍摄。
研究人员表示,Axis Communications并不是个例,还有34家公司也使用了gSOAP软件,包括微软,IBM,Xerox和Adobe。这些公司都加入了非官方国际硬件供应商联盟ONVIF Forum。
研究人员认为,在负责维护ONVIF Forum成员使用的软件和网络协议的软件库中存在恶意代码,正是该恶意代码触发了Devil’s Ivy漏洞。研究人员说:“在涉及成本、效率和互操作性的问题上,诸如ONVIF这样的论坛能够起到积极的作用,但是需要注意的是,代码重用就相当于漏洞重用。”
上周二,研究人员发布了技术博客来解释这一漏洞。博客写道,该漏洞位于设备使用的gSOAP软件库的通信层,gSOAP是一种广泛使用的web服务开发工具,用于使XML设备与互联网通信。Senrio指出,约有6%的论坛成员使用gSOAP。
该漏洞允许远程攻击者通过端口80向目标设备洪泛数据,从而创建简单的缓冲区溢出攻击。接下来,攻击者可以发送特制的载荷,在未经身份验证的情况下在设备上执行任意代码。“在Axis摄像头的情况下,要想利用此漏洞,需要向端口80发送恶意载荷。然后,摄像头使用存在漏洞的软件库来处理数据。之后,攻击者发送特制的载荷来触发缓冲区堆栈溢出,从而导致自定义的代码执行。”一旦攻击者在设备上执行代码,就能够将固件重置为出厂默认设置。之后,他们就可以更改密码或网络设置,卡尔顿说。即使使用了复杂的密码,存在漏洞的设备也会遭到攻击。在发生攻击时会有大量流量发送到摄像头和其他IoT设备,因此会导致警报。
“在我们查看的安全摄像头中,gSOAP软件库导致了严重的问题。在其他安全设备中,gSOAP可能不会引起这么大的问题,” 研究人员说,“对于这一点,我们还没有做广泛的研究,因此尚不清楚。”
研究人员在5月份发现了该漏洞,一直等到Axis和Genivia部署了补丁之后才公开披露了漏洞。使用Shodan搜索互联网,结果显示,网络中存在1.47万台受到Devil’s Ivy 影响的Axis摄像头。研究人员建议打补丁,不要将安全设备连到公共网络并为其设置防火墙。
“Devil's Ivy漏洞说明,业界越来越关注物联网的安全性。我们经常忘记甚至没有意识到,我们每天使用的许多设备(从街角的交通信号灯到佩戴在手腕上的Fitbit)都是电脑,因此它们与您每日使用的PC一样脆弱。”研究人员说。
ONVIF Forum,GitHub,Bitbucket和NuGet Gallery等托管的软件库能够有效地帮助开发人员查找已经存在的代码,为其软件项目添加功能。但是,安全专家早就警告说,与重用第三方库有关的不安全软件的数量非常惊人。研究人员分析了2.5万个应用程序,发现7%的组件至少有一个与使用不安全的软件组件有关的漏洞。
《Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices》
Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them.
The vulnerability, dubbed Devil’s Ivy, was identified by researchers at Senrio, who singled out high-end security cameras manufactured by Axis Communications. Senrio said 249 models of 251 Axis cameras are vulnerable to unauthenticated remote attackers who can intercept a video feed, reboot cameras, or pause a video feed while conducting a crime.
Researchers said Axis Communications isn’t alone, reporting 34 companies use the same underlying flawed software; including Microsoft, IBM, Xerox and Adobe. Those companies are part of the ONVIF Forum, an unofficial international consortium of hardware vendors.
Researchers believe bad code used in a software library responsible for the bug originated from the ONVIF Forum, which is responsible for maintaining software and networking protocols used by members. “While forums like ONVIF serve a useful purpose when it comes to issues of cost, efficiency, and interoperability, it is important to remember that code reuse is vulnerability reuse,” researchers said.
The vulnerability is in the communication layer of a software library used in those devices called gSOAP, which is a widely used web services development tool for XML enabling devices to talk to the internet, researchers wrote on a technical blog explaining the vulnerability on Tuesday. Approximately six percent of the forum members use gSOAP, Senrio said.
The vulnerability allows a remote adversary to flood the targeted device over port 80 with data and create a simple buffer overflow attack. Next, researchers say, the adversary can send a specially crafted payload of data that allows a remote unauthenticated user to execute code on vulnerable devices.
“In the case of this camera, in order to exploit the vulnerability you would need to send a malicious payload to port 80. The camera then processes the data using the vulnerable library. The attacker then sends the specially crafted payload that triggers the buffer stack overflow which leads to custom code execution,” said M. Carlton, VP of research with Senrio, in an interview with Threatpost.
Once the attacker executes code on the device, they have the ability to reset the firmware back to device’s factory defaults. From there, they can change the passwords or network settings, Carlton said. The attack works on vulnerable devices, despite the use of complex passwords.
Michael Tanji, COO and cofounder of Senrio, told Threatpost that the attack generally should sound alarm bells because of the large volume of traffic sent to cameras and IoT devices when attacks take place.
“In the security cameras that we looked at, this library this is a big problem. With some other security devices and other general applications of gSOAP it may not be as big of a problem,” Tanji said. “We just don’t know, because we haven’t done the extensive research.”
Tanji said that it privately disclosed the vulnerability in May and waited until Axis and Genivia deployed a patch before publicly disclosing the flaw on Tuesday. A scan of the internet using Shodan had revealed 14,700 of Axis’s cameras vulnerable to Devil’s Ivy. Senrio recommends patching, but also keeping security devices off the public internet and behind a firewall.
“Devil’s Ivy highlights the industry’s growing concern with the security of IoT. We forget or don’t realize that many of the devices we use everyday are computers— from the stoplight at your street corner to the Fitbit you wear on your wrist — and therefore are just as, if not more, vulnerable as the PC you sit in front of everyday,” researchers said.
Repositories hosted with ONVIF Forum and at places such as GitHub, Bitbucket and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. However, security experts have long warned the amount of insecure software tied to reused third-party libraries is staggering. In an analysis of 25,000 applications, researchers at Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.
附件:
《Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices》--原文.pdf
《Bad Code Library Triggers Devil’s Ivy Vulnerability in Millions of IoT Devices》--译文.pdf
微信公众号