ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered (Devil's Ivy)

Published Jul 10, 2017 12:49 PM

A vulnerability has been discovered in a toolkit that video surveillance manufacturers widely use for implementing ONVIF.

In this report, we examine what this vulnerability is, how it works, who is impacted, and what to do.

SOAP ******* *************

*** ************* ****** ** ********'* ***** *******, ***** *********** ******** **** ****. Many ***** ************ ************* ************ ***** use ***** ** ***** ************.

******* *** ************ *** *************** ******** *.* ** *.*.**, ******:

******** *** ****** ***** ******* *.*.** or ******* ** *** * ********* vulnerability **** *** ** ******* **** large *** ******** *** ******** **** 2 ** ** ****.

**** ****** ******** *** ** **** to ***** ******* ******* ** *** device ******, ********* ******* **** ******.

*** ** *** **** **** ******* (or ******** ** **) ** ******** within ****** ********, ***** ********* **** no **** *** ** **** ** the ******** ** ***** ****** ** affected ******* * ************ ************.

Vulnerability **********

[****** */**/****] ****** ******** ***** ******** this *************, ********* ****** ** "*****'* Ivy" *** ********* ********:*****'* ***: **** ** ****** **** Third-party **** ******* ********.

Widely **** ** *************

*******'* ***** ******* ** ****** **** for ***** *************** ***** *************, ********* to ************* **** ***** ****. *** toolkit **** ***** ** **** *** non-ONVIF ********, **** ** ** ****** a ******* ****** ******/************* ***.

Blocking ***** *******

***** *** ************* ******* ** ********* large ***** (*.*., ***) ** ******* the ****** ********, ** * ************ restricts **** *******, **** ** **** use *** ******** ***** ********, **** would ** *********. **** ** ********, but *** ****** ****, ***** ** the *** ****** **** *** ****** uses.

Manufacturer ********* ** ************* *********

**** ***** * ****** ** ******** manufacturers ***** **** *************. ***** ********* are *****:

  • *******: **, **** *** *** ***** toolkit.
  • ********: ***,******** ******** ******, *** ******* ********/***
  • ****: ***,******** * ******** ******, *** ******* ********.
  • *****: **, **** *** *** ***** toolkit
  • *****: ************
  • *****: ***, *** **** ** ******* potential, *** ***: ********* ****
  • *******: **, **** *** *** ***** toolkit.
  • ******: **, **** *****, *** ****** or ******* *** **** *******.****** ********* ** ***** *************.
  • *********: **, **** *** *** *****.
  • *********: ***, ******* *** ** **** release. ********* ********* ***** ** ************ ********* ******* ****** *****.
  • *********: **, **** *** *** ***** toolkit.
  • *****: **, **** *****, *** ***** or ****** *** **** *******.

*** ************* ********, ***** ****** ***** directly ** *******/******** ******* *** ***** manufacturers, ** ** ** ******** *** all ******** *** ********, ** **** patched ******** ** *** *** *********.

**** ***** ** ****** **** **** responses ** ** *******.

100s ** ************* *******

***** **** *** ******* *** ** a ****** ** *** ****** *************, hundreds ** ********* / ************* *** ONVIF (***+ ***** ******* *** *,***+ ONVIF ******* * ******** ** ** this ***********). ** ******* **** ** them *** ********.

ONVIF ************ ** *****

****** *** ***** ******* ** ***** used ** ********* ***** ************* ** devices, *** ************* ** ******* ** the *******, *** ***** ************. ** is **** ******** *** ************* ** implement **** ***** *********** ******* ***** this *******. *** ***** *******, * device's ***** ******* ******* ** *********** listing *** *** ** **** ** give *** ********** ** **** *** this *************.

ONVIF ***** *** ********* ** *******

***** **** *** ********* ******* ** IPVM ********* ***** *** **** *************:

***** ** *** **** ** *** ONVIF **************, *** ** **** ** the **** *** *** ***** ***, it ** ******** **** ***** ***** members ***** ** ********. *****, *********, agreed ** **** *** * ********* to *** ******* ** **** **** aware ** *** *************.

No ***** ** ******** ********

****** *** *** ******** *** ***** of ******* **** *** *** *******, making ** ****** ******** ** ** used ** *** *****-**** *******, *** more ** * *********** ****. ******* has **** *** ******** *** ********* of ***** ***** ********, ** ***** to **** ** **** ********* *** potential ********* ** ********** ******* *** the ******* ***** ** ******* ***.

Low **** ** *******

*** ****** ** ****** ******** ******* makes **** ******** ****** ********, *** can ******* ***** *** *****, ** deep ********* ** *** ****** ******, to **** * ********** ****** **** reveals **** ** ******** **** ******. Because ** ****, *** *** **** that *** ******* ** *** ******** XML ********** ******** *** ** ******* are ***** ******** ** **** ** hard *** **** ************* **** ** put ** **** ***.

Mitigating ****

******* ** **** ***** ***** ******** vulnerabilities ** ******* *******, *********** ******* access ** *** **** **** ******* reduce *** ****** ** *******. ******* utilizing * *** ** ******** *** remote ******, ******* ** ***** ******** connected ** *** ********, *** *********** immune **** ****** ****** (****** ** is ******** *** *** *** ****** to **** ***************). ************, ********* ******** to ************-*********** ********, ** **** ****** available, **** ********* **** ******** *************.

Comments (23)
UI
Undisclosed Integrator #1
Jul 10, 2017

nice tight informative to the practioner reporting.  these are the articles that make subscribing more than worth it.

(4)
(2)
Avatar
Brian Karas
Jul 10, 2017
IPVM

UPDATE - we received a response from Hikvision that they do not use the gSOAP toolkit, and updated the report accordingly.

 

(1)
U
Undisclosed #2
Jul 10, 2017
IPVMU Certified

...users generally have no easy way to tell if the firmware in their device is affected without a manufacturer confirmation.

Perhaps a test can be fashioned, based on some unrelated behavior, like was done with the Heartbleed bug.

However, given what is already known, and the fact that the toolkit developer has released a patch, the formal release will likely not provide any significant new information.

Why not?  Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

Avatar
Brian Karas
Jul 10, 2017
IPVM

Why not? Wouldn't a working or close to working exploit help identify whether the code at risk is in general use in our industry?

 
I do not believe any sample code/"close to working" exploits are going to be released as part of Senrio's formal publication.
 
Avatar
Scott Napier
Jul 11, 2017

I am reaching out to them directly, but does anyone know if Tyco/ American Dynamics is affected by this?

Avatar
Brian Karas
Jul 11, 2017
IPVM

Scott -

I did reach out to a contact at Tyco to ask about their product lines but have not heard back yet. If you hear anything let us know and I will update this report with their feedback.

 

JL
John Lineweaver
Jul 11, 2017

Thabk you for the alert!

Avatar
Orlando Ayala
Jul 12, 2017

Small thing but moving ONVIF between Used and Toolkit helps my brain comprehend that title. Otherwise, great information.

JH
John Honovich
Jul 12, 2017
IPVM

Orlando, thanks for the feedback on the title. We struggled with the proper phrasing. For example, your recommendation would be 'Widely Used ONVIF Toolkit Vulnerability Discovered'. That would flow better generally but be technically incorrect because it's not an ONVIF toolkit, neither by gSOAP's design or by ONVIF's design. It just happens to be a toolkit that has been widely used by companies implementing ONVIF since ONVIF requires SOAP and gSOAP is a toolkit for implementing SOAP support.

(1)
(2)
Avatar
Orlando Ayala
Jul 12, 2017

Makes sense. 

U
Undisclosed #4
Jul 12, 2017

Thank you Brian for this great information. Just one thing, it is "Genivia" not Genevia. It might be confusing for some users when they search on google. 

Avatar
Brian Karas
Jul 12, 2017
IPVM

Thanks, I corrected the mentions of Genivia in the report.

Avatar
Brian Karas
Jul 14, 2017
IPVM

UPDATE: Avigilon released a notice on the gSOAP vulnerability, confirming they were affected. They have also released updated firmware/VMS software.

U
Undisclosed #2
Jul 16, 2017
IPVMU Certified

More vendors who use gSOAP should "come clean".

(2)
Avatar
Brian Karas
Jul 18, 2017
IPVM

UPDATE

Senrio released their report on this exploit, naming it "Devil's Ivy":

Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions

U
Undisclosed #2
Jul 18, 2017
IPVMU Certified

Here's the associated link to the technical details of the working exploit.

I'm not sure why given this exploit, a generic checker couldn't be fashioned, but my guess is that the exploit code must be specifically written for each firmware version...

(1)
Avatar
Brian Karas
Jul 19, 2017
IPVM

Axis made this vulnerability the top item in their July newsletter:

(2)
(1)
Avatar
Ryan Hulse
Jul 19, 2017

I am the product manager for exacqVision. 

exacqVision uses an affected version of gSOAP as a client device. That is, exacqVision is not listening but rather makes SOAP requests from dynamically assigned ports that close after the response is received from the server (cameras in most cases). To be exploited, exacqVision would have to make a request to a malicious server/camera on the local network that would reply with the payload.

Although exploitation is improbable, exacqVision will receive an update to patch the vulnerability in the September release.

(2)
Avatar
Brian Karas
Jul 19, 2017
IPVM

Ryan -

Thanks for the additional info, I will add a line for exacq into the report.

Avatar
Brian Karas
Jul 20, 2017
IPVM

UPDATE - We received a statement from Bosch that they use their own software for handling SOAP/XML parsing and are not vulnerable to this. 

Avatar
Brian Karas
Jul 26, 2017
IPVM

UPDATE - We already had Hanwha listed as not impacted, but have added a link to Hanwha's update stating they are not affected.

UE
Undisclosed End User #5
Jul 26, 2017

 

http://www.tycosecurityproducts.com/cyberprotection.aspx

 

Johnson Controls

6 Technology Park Drive

Westford, MA 01886-3140

Tele: 978 577 4000

18-July-2017 CPP-PSA-2017-02 v2

PRODUCT SECURITY ADVISORY

gSOAP – DEVIL’S IVY

(CVE-2017-9765)

On July 18th Senrio published details regarding a buffer overflow vulnerability in the gSOAP library. gSOAP is used to parse XML requests and is commonly used in physical security products where ONVIF and WS-Discovery are employed.

Exploitation of the vulnerability requires a large (>2Gb) request to be sent to a vulnerable device. If successful, the service or device may stop operating. With some effort and detailed information for a specific device, it may be possible to create a custom exploit to allow an attacker access to the underlying operating system. For more information and technical breakdown, see Senrio’s blog posts (links below).

The most vulnerable devices are devices acting as servers that must be able to receive SOAP requests. This includes cameras that use ONVIF and WS-discovery for device discovery and other functions.

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

VideoEdge NVR and Exacq NVRs use an affected version of gSOAP as a client device to discover and manage cameras. Verified through testing by our Cyber Protection engineers, these devices make SOAP requests from dynamically assigned ports that close after the response is received from the server.

Although exploitation may not be possible, in accordance with their patch policies, both products will receive an update to correct the vulnerability in the next regular update to the product.

The CEM Systems S3040 portable reader and the Portable Sub-System software used on the CEM Systems AC2000 CDC servers to service these readers uses an affected version of gSOAP. A patch that resolves this vulnerability in AC2000 versions 6.6 to version 8.0 will soon be available. CEM Systems is still investigating the full impact of the vulnerability in the portable reader.

http://www.tycosecurityproducts.com/cyberprotection.aspx

 

Illustra Essentials do not use gSOAP and are not affected.

American Dynamics victor Application Server and Clients do not use gSOAP.

Software House C•CURE 9000 and iSTAR panels do not use gSOAP.

Kantech products do not use gSOAP.

As more information about the vulnerability become available, we will be updating this advisory. If you do experience any problems or have any questions, please contact your technical support team or the Cyber Protection Program at TSPCyberProtection@tycoint.com

Illustra ONVIF Ports Port

Type

Direction

Purpose

8080

TCP

Inbound

HTTP proxy for ONVIF information, WS-discovery

8081

TCP

Inbound

ONVIF media service

8082

TCP

Inbound

ONVIF ptz service

8083

TCP

Inbound

ONVIF event service

8084

TCP

Inbound

ONVIF imaging service

8085

TCP

Inbound

ONVIF device IO service

(1)
(3)
JH
John Honovich
Jul 26, 2017
IPVM

#5, thanks!

Btw, this section was interesting / confusing:

Illustra Pro, Illustra Edge, and Illustra Flex series cameras do use a vulnerable version of gSOAP and act as a server with the following ports accepting SOAP requests.

The cameras do limit the size of information that can be received at these ports preventing exploit. Large requests are received in multiple segments. When a segment would push the total received data beyond a set threshold, the camera sends a RST to close the connection.

Illustra cameras do allow for ONVIF to be disabled under the Remote Access tab on the camera web UI. When disabled, the service processing SOAP requests on the camera is terminated and requests sent to the camera ONVIF ports are ignored.

Although exploitation may not be possible, in accordance with the policies set by the Cyber Protection program, the Illustra cameras will receive an update to correct the vulnerability in the next update to the products’ firmware.

The net/net appears that they are not vulnerable since they do not allow 2GB uploads. If that is correct, they would have made for a simpler response to simply say they are not vulnerable?

(1)