Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Is the Devil’s Ivy in your Network?

Over the past several years, Tenable has discussed the growing concerns around Internet of Things (IoT) security. With the static nature of IoT devices such as cameras, door sensors, and many more, the ability to correct flaws in third-party libraries becomes increasingly difficult. Yesterday, the researchers at Senrio discovered a serious flaw in the gSOAP library found in many IoT devices, such as the AXIS M3004. Tenable.io and SecurityCenter use active and passive detection methods to identify these vulnerable systems by enumerating the operating systems and detecting versions of vulnerable third-party libraries.

Many manufacturers recommend customers or installers use segmentation strategies when deploying IoT devices to address potential security vulnerabilities. While segmentation is a good plan when deployed correctly, often the installer and IT organizations do not fully test access control methods. For example, the IoT device might be placed in separate Virtual Local Area Networks (VLAN), but the Access Control Lists (ACL) are not fully implemented and tested. I often ran into these issues when performing security assessments and pen-tests. I would go into a network as a normal user and use Nessus to discover all of the live devices on the network. After stumbling onto Industrial Controls Systems (ICS), IP phones, and other devices that are not heavily monitored, I would then clone a MAC address or use some other method to change VLANs and begin to attack the network as if I were an IP Camera. If ACLs were properly implemented, I would quickly find I had no access, but that was seldom the case. Instead, I often found I had more access from the “Segmented VLAN”. This example illustrates why the Devil’s Ivy vulnerability is so dangerous.

Devil's Ivy diagram

Vulnerability Detection

The vulnerability discovered within the gSOAP library is a classic buffer overflow, which allows the attacker to execute arbitrary code. Tenable’s research team developed a new Nessus plugin to detect the affected devices by extracting the banners from services such as FTP and SNMP. The Nessus Network Monitor uses plugins to detect AXIS using FTP and SMTP traffic traversing the network.

  • AXIS Camera Detection via FTP (9681)
  • AXIS Camera Detection via SNMP (9683)

Tenable.io Vulnerability Management and Nessus will use Plugin 101810 “AXIS Camera gSOAP Message Handling RCE (ACV-116267) (Devil's Ivy)” to identify the vulnerable AXIS systems. The plugin relies banners from FTP and SNMP services running on the Axis cameras. In certain cases the plugin can also extract the version based by querying ‘param.cgi’ file device on the system. Tenable.io Container Security also detects vulnerable third-party libraries, such as gSOAP, embedded within containerized application workloads.

IoT & AXIS Dashboard

The IoT Device Summary dashboard, available via the SecurityCenter Feed, leverages data from the Tenable sensors to offer insight into IoT-related activity on your network. By adding a subnet, IP address, or asset filter to the components in this dashboard, you can tailor the results to focus on your IoT devices. The dashboard allows you to track IoT device network connections as well as detect IoT cameras by ONVIF-compliant vendor.

IOT Devices Summary Dashboard

Attack Vector

Do not underestimate the seriousness of this vulnerability.

Physical security companies that install and rely on these vulnerable cameras are at potential risk. If the installers fail to apply this patch or fail to secure the VLANs, cyber criminals can use the camera systems to assist in physical compromises. Once the camera systems are compromised, adversaries can reset all of the cameras or load their own version of the operating system. At that point, they have full control over the cameras, which can have serious consequences, including disabling the camera or deleting any captured evidence.

Wrap-Up

Many vulnerabilities can cause a loss to business processes or cause employees to recreate data; however, this vulnerability is the type that often gets easily (mistakenly) dismissed. Vendors often say, “We have a firewall,” and ignore the risks. Devil’s Ivy will be with us for some time as IoT systems are not easily patched.

To prevent this vulnerability from causing damage or revenue loss, Tenable recommends you properly segment your IoT networks using tightly controlled ACLs and to quickly deploy any patches related to Devil’s Ivy vulnerabilities.

For more information

Many thanks to the Tenable research team for their contributions to this blog

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training