gSOAP Flaw Leaves Thousands of IoT Devices Vulnerable to Remote Code Execution

- July 19, 2017

On Tuesday, the security firm Senrio disclosed a vulnerability in the coding used in a large number of security cameras and “physical security products.”

Wired reports that the flaw is within code called gSOAP, a C and C++ development toolkit used in XML parsing and web services. The code’s creator, a company called Genivia, says at least 34 different companies use gSOAP in their IoT products.

By using the vulnerability, an attacker could remotely force a device to run malicious code, deny use of the device or even crash it.

This type of pervasive code use to create uniform products, such as Internet-enabled cameras and others, can spread vulnerabilities over many thousands of devices. Wired’s Andy Greenberg notes that while this particular vulnerability was found in an IoT device, many Fortune 500 companies use the code in various ways.

gSOAP is used to implement a protocol known as ONVIF (Open Network Video Interface Forum). The ONVIF consortium has “nearly 500 members,” including a number of Fortune 500 companies, though there is currently no indication any products from any of those companies are vulnerable.

Well-known network security expert and hacker H.D. Moore told Wired that the vulnerability is definitely widespread, but it also requires a nontrivial effort to exploit it. Threat actors would need to configure attacks separately for each device and send each device two gigabytes worth of data, he said. But even so, this vulnerability “highlights how supply code is shared across the Internet of Things. With IoT, code reuse is vulnerability reuse,” Moore told Wired.

Genivia chief executive Robert Van Engelen told Brian Krebs his company is doing all it can to reach out to customers.

Krebs also writes that this vulnerability is a reminder of the Mirai event, one that used hundreds of thousands of vulnerable IoT devices to launch massive DDoS events against Krebs’ site and large content delivery providers Dyn and OVH in Fall of 2016. Though in this case, because of the nature of the vulnerability, it isn’t very likely that a Mirai-level exploit could be made. It would require easy or even automated iteration of the infection, something not easily done with the gSOAP flaw.