Is the gSOAP Vulnerability Really a Surprise for IP camera users?

It has recently been identified and reported that the ubiquitous gSoap library used in many vendors IP cameras is subject to a stack buffer overflow vulnerability (CVE-2017-9765), referred to as Devil’s Ivy by the discoverers Senrio Labs. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP.

When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed.

This has resulted in widespread concern, however should the existence and widespread exposure to this sort of problem really be a surprise?

There have been a number of estimates for the ratio of number of exploitable bugs per lines of code, ranging from 1:1000 to less than 1:50,000. While many such benchmarks are individually meaningless, there are clear implications virtually regardless of the statistic used.

If we assume that the average IP camera probably has in excess of 50 million lines of code in total, even by best benchmarks this can mean there are probably over 1000 undiscovered vulnerabilities at any one time.

Taking gSOAP specifically, this is about 150,000 lines of code, so it shouldn’t really come as a surprise that a vulnerability has been found.

So how do you mitigate this risk is a question I would expect many to ask.

While a vulnerability may exist, it takes a great deal of effort to first find and then exploit it. However, the more ‘predictable’ common code that is included within the architecture, especially within the user interface, the greater the ‘attack surface’ that is presented to a cyber attack.

Similarly, if there are a large number of IoT devices, such as IP cameras, that are directly accessible, either on the internet or within a private network, then this increases the ‘attack surface’ and the ‘attack return’.

So this exposes two key flaws in the majority of IP Video Surveillance architectures today.

For an ONVIF IP camera design, the recommended and preferred solution to allow the firmware to be kept up to date as schemas are updated with new levels is to utilize gSOAP as a library to decode the SOAP commands central to the ONVIF implementation. Hard coding of explicit handlers is frowned upon as an acceptable method. Common Linux kernels and command shells also prevail, and also specifically many utilise libraries such as gStreamer, which is often the primary chip vendor supported interface to the DSP and codec services.

Mike Newton

The classic VMS based surveillance IP camera architecture relies on a Video Management System managing user credentials and configuration settings, such that users can access the streams from IP cameras directly. This requires direct connection of a number of users within a corporate network and a large number of individual endpoints. These security endpoints can therefore be accessed from many locations, and have communication paths to many users and services, both within the corporate network, and potentially beyond out onto the internet. While manually configured firewall rules are possible, the overhead of implementing such protection is often overlooked.

It is becoming increasingly obvious that simple web streaming architectures over general network services, sharing large elements of open source code and services driven by inter vendor compatibility is completely contrary to the needs of the surveillance industry. Instead vendor specific solutions, while possibly containing as many undiscovered vulnerabilities, are however far less likely to be the subject of such an attack as the ‘attack return’ is much more limited.

The use of segregated automatically hardened network layers, ideally only allowing access to individual surveillance endpoints via well defined gateways both greatly improves the protection from such attacks, but also significantly mitigates and limits the effect of any such attack if it were to occur.

Such methods have been the core tenet of the Closed IP TV, Secure IP Video solution and NetVu Connected protocols from NetVu Ltd and Dedicated Micros Inc. since the mid 2000’s, introduced long before the video surveillance market had to accept that IP video networks could be vulnerable to attack if the security issues were not addressed.

Article authored by Mike Newton, CTO of NetVu Ltd. Mike has over 30 years of expertise in the video surveillance industry and through his various companies has been at the forefront of video detection and surveillance technology innovation throughout that time.