Is the Devil’s Ivy in your Network?

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Over the past several years, Tenable has discussed the growing concerns around Internet of Things (IoT) security. With the static nature of IoT devices such as cameras, door sensors, and many more, the ability to correct flaws in third-party libraries becomes increasingly difficult. Yesterday, the researchers at Senrio discovered a serious flaw in the gSOAP library found in many IoT devices, such as the AXIS M3004. and SecurityCenter use active and passive detection methods to identify these vulnerable systems by enumerating the operating systems and detecting versions of vulnerable third-party libraries.

Many manufacturers recommend customers or installers use segmentation strategies when deploying IoT devices to address potential security vulnerabilities. While segmentation is a good plan when deployed correctly, often the installer and IT organizations do not fully test access control methods. For example, the IoT device might be placed in separate Virtual Local Area Networks (VLAN), but the Access Control Lists (ACL) are not fully implemented and tested. I often ran into these issues when performing security assessments and pen-tests. I would go into a network as a normal user and use Nessus to discover all of the live devices on the network. After stumbling onto Industrial Controls Systems (ICS), IP phones, and other devices that are not heavily monitored, I would then clone a MAC address or use some other method to change VLANs and begin to attack the network as if I were an IP Camera. If ACLs were properly implemented, I would quickly find I had no access, but that was seldom the case. Instead, I often found I had more access from the “Segmented VLAN”. This example illustrates why the Devil’s Ivy vulnerability is so dangerous.

Devil's Ivy diagram

Vulnerability Detection

The vulnerability discovered within the gSOAP library is a classic buffer overflow, which allows the attacker to execute arbitrary code. Tenable’s research team developed a new Nessus plugin to detect the affected devices by extracting the banners from services such as FTP and SNMP. The Nessus Network Monitor uses plugins to detect AXIS using FTP and SMTP traffic traversing the network.

  • AXIS Camera Detection via FTP (9681)
  • AXIS Camera Detection via SNMP (9683) Vulnerability Management and Nessus will use Plugin 101810 “AXIS Camera gSOAP Message Handling RCE (ACV-116267) (Devil’s Ivy)” to identify the vulnerable AXIS systems. The plugin relies banners from FTP and SNMP services running on the Axis cameras. In certain cases the plugin can also extract the version based by querying ‘param.cgi’ file device on the system. Container Security also detects vulnerable third-party libraries, such as gSOAP, embedded within containerized application workloads.

IoT & AXIS Dashboard

The IoT Device Summary dashboard, available via the SecurityCenter Feed, leverages data from the Tenable sensors to offer insight into IoT-related activity on your network. By adding a subnet, IP address, or asset filter to the components in this dashboard, you can tailor the results to focus on your IoT devices. The dashboard allows you to track IoT device network connections as well as detect IoT cameras by ONVIF-compliant vendor.

IOT Devices Summary Dashboard

Attack Vector

Do not underestimate the seriousness of this vulnerability.

Physical security companies that install and rely on these vulnerable cameras are at potential risk. If the installers fail to apply this patch or fail to secure the VLANs, cyber criminals can use the camera systems to assist in physical compromises. Once the camera systems are compromised, adversaries can reset all of the cameras or load their own version of the operating system. At that point, they have full control over the cameras, which can have serious consequences, including disabling the camera or deleting any captured evidence.


Many vulnerabilities can cause a loss to business processes or cause employees to recreate data; however, this vulnerability is the type that often gets easily (mistakenly) dismissed. Vendors often say, “We have a firewall,” and ignore the risks. Devil’s Ivy will be with us for some time as IoT systems are not easily patched.

To prevent this vulnerability from causing damage or revenue loss, Tenable recommends you properly segment your IoT networks using tightly controlled ACLs and to quickly deploy any patches related to Devil’s Ivy vulnerabilities.

For more information

Many thanks to the Tenable research team for their contributions to this blog

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?