Millions of IoT devices hit by 'Devil's Ivy' bug in open source code library | ZDNet - IoTOnliner.com

Millions of IoT devices hit by ‘Devil’s Ivy’ bug in open source code library | ZDNet

Visit Source

IoT News IoT Security save

Posted 7 years ago

details

Devil’s Ivy is likely to remain unpatched for a long time: “code reuse is vulnerability reuse”.

A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack.

Researchers at IoT security firm Senrio discovered the Devil’s Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. The bug occurs when sending a large XML file to a vulnerable system’s web server.

The flaw itself lies in gSOAP, an open source web services code library maintained by Genivia, which is imported by the Axis camera’s remote configuration service. Senrio researchers were able to use the flaw to continually reboot the camera or change network settings and block the owner from viewing the video feed.