A vulnerability codenamed Devil's Ivy is putting thousands of Internet-connected devices at risk of hacking.
Discovered by security researchers from Senrio, the flaw affects gSOAP, a C/C++ library widely used in the development of firmware for embedded devices.
gSOAP is a dual licensed (free and commercial) product developed by Genivia, who on its website says the library will help companies in the "development of [...] products [that] meet the latest industry standards for XML, XML Web services, WSDL and SOAP, REST, JSON, WS-Security, WS-Trust with SAML, WS-ReliableMessaging, WS-Discovery, TR-069, ONVIF, AWS, WCF, and more."
Senrio researchers initially discovered the vulnerability while analyzing the firmware of the Axis M3004 security camera.
After contacting the camera vendor with their findings, Axis told Senrio that the Devil's Ivy vulnerability affects 249 of 252 security camera models the company makes, which use firmware that includes the gSOAP toolkit.
The vulnerability is a simple buffer overflow, but Senrio researchers have managed to use it to execute code on the Axis security camera. A video recorded by researchers is embedded below, demoing the attack:
Axis has issued firmware updates for some of the affected devices. Genivia, the company behind gSOAP, has also released version 2.8.48 on June 21, a version that includes a patch for Devil's Ivy.
The problem is that gSOAP is very popular among many IoT and networking equipment vendors. On their website, Genivia claims the library was downloaded over one million times.
The library is one of the coding tools recommended by the ONVIF Forum, an unofficial international group of hardware vendors that issues recommendations on networking-related best practices.
According to data obtained by Senrio, about 6% of all the ONVIF members use gSOAP for their products. Senrio estimates that "thousands of devices" may be vulnerable to Devil's Ivy.
A technical report detailing the vulnerability is available here. Devil's Ivy is tracked as CVE-2017-9765.