Attacks
6/26/2014
02:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Decades-Old Vulnerability Threatens Internet Of Things

A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week.

A 20-year-old bug has been discovered in a version of a popular compression algorithm used in the Linux kernel, several open-source libraries, and some Samsung Android mobile devices. And the researcher who found the flaw says it also could affect some car and aircraft systems, as well as other consumer equipment running the embedded open-source software.

Patches for the integer overflow bug, which allows an attacker to cripple systems running the so-called Lempel-Ziv-Oberhumer (LZO) code with denial-of-service type attacks as well as remote code execution, were issued the past few days for the Linux kernel, as well as for various open-source media libraries. LZO handles high-speed compression and decompression of IP network traffic and files, typically images, in embedded systems.

"The most popular use is in image data, decompressing photos taken, raw images taken from a camera or video stream," says Don Bailey, mobile and embedded systems security expert with Lab Mouse Security, who discovered the vulnerability while manually auditing the code.

Bailey says the tricky part with this flaw is just how pervasive it may be in the consumer products that use the algorithm: it depends on the version of the specification, as well as how it was deployed in the system, so it's still unclear just how many consumer products are at risk.

He says there are several key products that incorporate LZO, including OpenVPN, Samsung Android devices with LZO, Apache Hadoop, Juniper Junos IPsec, mplayer2, gstreamer, and Illumos/Solaris BSD ZFS (lz4), but it's unclear whether the LZO deployments in these software programs are vulnerable. "Most likely, they are affected by DoS, if at all," he says.

It all depends on how the algorithm was implemented, he says, as well as the underlying architecture and memory layout of the application. So all LZO implementations should be evaluated for the risk of the bug, he says, as well as patched.

What's unnerving about the vulnerability is the potential danger it could pose to commercial systems, he says. "If it's running in an embedded car or airplane system it [could be abused to] cause a fault in the software and cause the microcontroller or embedded system to fail," Bailey says. "And depending on the architecture, that system may or may not fail."

It could also be used to execute code remotely via audiovisual media, he says. "If you're viewing a video, a [malicious] video will execute a shell on your computer, so you could get code execution by playing a video."

There are plenty of unknowns about the scope of the vulnerability. NASA's Mars Rover also runs LZO, but Bailey says since we don't know how the code was deployed there, there's no way to know if it's vulnerable, either.

Trey Ford, global security strategist for Rapid7, says LZO compression is pervasive. "You will find it in practically all variants of Linux and it may also affect Solaris, iOS, and Android. Note that some variation of the Linux kernel -- the foundation of an operating system -- is used in almost every Internet of Things device, regardless of function," he says.

But without specifics on the flaw and its presence in different implementations, it's tough to determine just how dangerous this may be, Ford says. "This vulnerability might permit bypass of signatures for bootloaders in the deployment of modified kernel, or perhaps a local-only kernel level exploit provided by a special dirty USB drive. It’s very hard to assess the possible impact without more detail," he says.

Meanwhile, Bailey says the flaw only scratches the surface of vulnerabilities out there in embedded systems. "We're going to see more of this as the Internet of Things becomes more prominent," he says.

And not all systems will even get the LZO patch or future patches, he says. "A lot of older projects don't adhere to licensing and may not be patching," he says. "Or organizations may have legacy systems and don't know the library is use in them."

The LZO bug has some parallels to Heartbleed, he says, but it's not immediately impactful as Heartbleed was. "It's almost as dangerous because it affects a wide number of platforms in a range of ways, with remote memory disclosure, DoS, and remote code execution with one bug," he says.

Bailey has posted a blog with technical details on the LZO vulnerability here.

Here's a rundown of the patches being issued for the flaw:

  • Linux kernel updates for the flaw were released today, and according to the developers of the project, all of the Linux distros have patches available.
  • Libav's versions with CamStudio and NuppelVideo decoders enabled and Matroska demuxer using LZO are affected, according to the open-source project's developers. So Libav 0.8 9 and 10 could be vulnerable to the bug, which is being patched this week.
  • Videolan and ffmpeg media players were patched this week.
  • Oberhumer, which develops the LZO Professional data compression library used in Rover, airplanes, card, mobile phones, operating systems, and gaming consoles, did not respond to press inquiries about a patch or which of its systems may be affected by the flaw.

But the organization has issued an update to the software, LZO 2.07. The update doesn't specify whether it fixes the LZO bug, however. Bailey says the site does note that there's a security issue fixed in the new version.

"Basically, if you do have a car, a mobile telephone, a computer, a console, or have been to hospital recently, there's a good chance that you have been in contact with our embedded data compression technology," Oberhumer says on its website.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/30/2014 | 7:47:37 AM
Re: Perhaps not actually reachable in the real world
That's a great question. There wasn't any specific guidance thus far on how to scan for it, but the recommendation was to update any apps that use the affected libraries, all of which now have patches. Don Bailey is planning to provide more details on the vuln beyond his initial post, so maybe we'll see more detection info there.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 10:00:00 PM
Re: Perhaps not actually reachable in the real world
Very true. Has there been any documentation/data on how to scan for this and what tools would be the most efficient to do so?

I am sure vulnerability scanners  would be able to but thus far has there been any that have stepped up to say that they can quickly and passively scan for this? Or has this been dismissed because the quantity of people this could effect has been difficult to calculate?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/27/2014 | 7:26:16 AM
Re: Long elapse of time
This isn't the first open-source vuln and it won't be the last, for sure. Patching is always a headache, but even moreso when an open source tool is used in so many places and in so many iterations. Some products won't ever get patched, and many users won't even know their product (based on whatever vulnerable open source tool) is at risk. No easy solutions here. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/27/2014 | 7:14:50 AM
Re: Perhaps not actually reachable in the real world
Indeed, it doesn't mean every single LZO implementation is affected. As Bailey says, each implementation needs to be evaluated for the flaw.
darkerreading
50%
50%
darkerreading,
User Rank: Apprentice
6/27/2014 | 3:45:03 AM
Perhaps not actually reachable in the real world
The severity of this issue needs to be tempered with the evaluation that most products do not ship with a configuration that allows the issue to be triggered:

Debunking the LZ4 "20 years old bug" myth



 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/26/2014 | 10:02:42 PM
Long elapse of time
Interesting the this vulnerability didn't have similar attributes as other vulnerabilities. Otherwise I feel vulnerability scanners would have picked this up in a 20 year span.

I know in the article this states that the hole is fixed in the next security release, but is there anyone with outside knowledge of the vulnerability know what changes were made to effectively close the hole? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.