Software Component Reuse Brings Vulnerabilities To Entire Product Lines

A vulnerability affecting D-Link Wi-Fi cameras, disclosed by researchers in June, has been found to affect more than 120 of the company’s products. Experts identified nearly half a million potentially vulnerable devices accessible over the Internet.

IoT security startup Senrio reported last month that it had identified a stack overflow in D-Link’s popular DCS-930L Wi-Fi cameras. Researchers said the vulnerability can be exploited by a remote attacker for arbitrary code execution, including to overwrite the administrator password of the affected devices.

When it disclosed its existence, Senrio said D-Link had been working on addressing the flaw. The vendor has analyzed the vulnerability and determined that it actually affects more than 120 D-link cameras, access points, routers, modems, storage solutions and connected home products.

The flaw exists in a service responsible for processing remote commands and it can be exploited with a single specially crafted command. Stephen Ridley, researcher and founder of Senrio, told SecurityWeek that while their initial proof-of-concept (PoC) was designed to change the password of a vulnerable device, an attacker could do virtually anything with this flaw, including snoop on network traffic and install backdoors.

According to the expert, the vulnerable code is present in many D-Link products, but each device requires a different exploit.

“The locations of values in memory are different between firmware versions and devices, which affects how a successful exploit for the bug is written,” said Ridley. “An attacker would practically account for this difference in versions/devices by ‘fingerprinting’ a device (e.g. query the device first) and then change the exploit payload based on the target.”

A search conducted with Shodan has shown that there are more than 400,000 potentially vulnerable devices accessible from the Internet, and most of them are located in North America, followed by Europe.

“The D-Link vulnerability found by the Senrio Research team is extremely relevant given the recent news on how webcams were used for a DDoS attack. It is reasonable to expect more of these types of attacks as malicious actors realize how ubiquitous and vulnerable IoT devices are,” said John Matherly, CEO of Shodan.

D-Link plans to patch the vulnerability in each of its products soon – starting with DCS cameras, which account for a majority of affected devices. The company said it will address the issue by removing the command that can trigger the vulnerability.

This is not the first time concern over shared code in IoT devices has been raised. Earlier this year, it was discovered that surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to a Remote Code Execution (RCE) vulnerability because of shared firmware code.

In November 2015, a study by IT security consultancy SEC Consult revealed that millions of IoT devices use the same cryptographic secrets, making them vulnerable to various types of malicious attacks.

“The big takeaway from this is that a single software component gets reused throughout company product lines,” said Ridley. “This is the gospel we've been trying to preach especially to the industrial control folks who we see this pattern the most in. They reuse the same vulnerable bits of code from the lower cost stuff all the way through flagship products.”

Ridley will be presenting on additional research at SecurityWeek's 2016 ICS Cyber Security conference, taking place in Atlanta Oct. 24 -27, 2016.

Related: "Libotr" Library Flaw Exposes Popular IM Apps

Related: Remote Code Execution Flaw Patched in glibc Library