For large sections of the world, Christmas and New Year are times of goodwill towards others. It appears hackers never got that memo which meant security researchers were also deprived of a day off. News of a vulnerability affecting a web server that's been embedded in hundreds of thousands of IoT (Internet of Things) devices broke yesterday, that being Christmas day. While many shared the day with family, others were stuck behind screens pouring over details relating to the vulnerability tracked as CVE-2017-17562.
The vulnerability directly affects GoAhead, a small web server package created by Embedthis Software LLC, a company based in Seattle, USA. According to the product's website, it is currently deployed inside products released by big industry names such as Comcast, Oracle, D-Link, ZTE, HP, Siemens, Canon, and many others. This popularity can be attributed to the fact that the tiny web server can run on devices with limited resources, such as Internet of Things (IoT) devices, routers, printers, and other networking equipment.
Earlier in the previous week, while some were rushing to get all their presents shopping done, researchers at Elttam discovered a way execute malicious code remotely on devices using the GoAhead web server package. Researchers at the Australian cybersecurity firm discovered that attackers can exploit this flaw if CGI (Common Gateway Interface) is enabled and a CGI program is dynamically linked, which is quite a common configuration options. Common Gateway Interface (CGI) offers a standard protocol for web servers to execute programs that execute like Console applications (also called Command-line interface programs) running on a server that generates web pages dynamically. Commonly a CGI script executes at the time a request is made and generates HTML.
The vulnerability can be exploited to gain reliable remote code execution in all versions of the GoAhead web server before version 3.6.5, but the researchers have only proven the vulnerability goes back as far as version 2.5.0. The vulnerability is a direct result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters. This will affect all users who have CGI support enabled with dynamically linked executables. As has been mentioned the vulnerability when combined with the glibc dynamic linker, can be abused for remote code execution.
The researchers at Elttam informed Embedthis, the company responsible for GoAhead, who in turn have released a patch for all affected versions. Researchers at the Australian firm believe this to be an interesting case study in how to remotely exploit the LD_PRELOAD function. They are of the belief that the construct itself may exist in other services, and it may be possible to exploit the string. This can potentially be done blindly without actually auditing any code. In conjunction with the Embedthis patch, Elttam has released a proof of concept code that other researchers can use to test and see if devices are vulnerable to the CVE-2017-17562 vulnerability.
The Flaw is yet another Security Headache of IoT Device Manufacturers
A basic Shodan search revealed that between 500,000 to 700,000 devices were potentially vulnerable to the above flaw been exploited. Unfortunately, a more exact number could not be generated as the Shodan search can only detect devices online at the time of the search. Embedthis can be congratulated for its handling of the matter and working in conjunction with Elltam to correct the problem. Now all the hardware vendors need to incorporate the GoAhead patch into a firmware update for all the affected devices.
This is where problems will occur as the process can take months at best and years at worst for vendors to implement the patch as a firmware update. This process is further complicated by the fact that many devices will not receive the update as they have been determined to reach their end-of-life date with vendors no longer providing support for them.
In order for vendors and manufacturers to remain competitive the release cycle of new products has been ramped up. Meaning that products are passing their end-of-life date far quicker than before. Added to this in order to try and keep ahead of competitors little time if any is spent on securing the products. This is despite researchers handing out dire warnings as to the potential dangers the IoT can pose to users. These warnings are not sci-fi predictions of a future were IoT devices are used to propagate ransomware, for example. There have been numerous papers including proof of concept code that proves these claims.
A History of Potential Nightmares
This is not the first time a vulnerability has been found in GoAhead. In March of this year security researchers Pierre Kim and Istvan Toth independently found different GoAhead flaws and in 2014 Cybereason also found other GoAhead flaws. In the paper published by Cyberreason, numerous vulnerabilities were found in a very affordable IP surveillance camera. Despite having numerous features such as motorized control, wireless connectivity and an SD card slot to save recorded videos the main feature was advertised as a “plug-and-play” system that allows users to connect to their camera from anywhere using a mobile app without the hassle of dealing with nat traversals or port forwardings. It was this self-same “plug-and-play” feature that was riddled with problems.
Every camera has a unique ID, in the form of a QR sticker on the camera, that identifies it inside the vendor’s cloud and authenticates it with a password, which is also on the same sticker, the default passwords are the same for all the cameras. Thus if an attacker possesses the victim’s unique ID and password, they could watch the camera’s image and control it. The vulnerabilities were proven by the researchers to enable attackers to bypass web authentication by crafting a special HTTP request. What made matters worse for users was that the manufacturer of the camera was not made by a well-known vendor meaning that firmware upgrades in future would be non-existent.
IoT malware like Mirai, Hajime, BrickerBot, Persirai, and others, were seen exploiting GoAhead flaws in the past year. IoT malware authors will jump on this bug and start exploiting it in attacks, this is almost a certainty given the sheer amount of vulnerable devices. Striving for ever more convenient technology a security nightmare has been waiting in the wings.