02:50 PM
Connect Directly

Decades-Old Vulnerability Threatens Internet Of Things

A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week.

A 20-year-old bug has been discovered in a version of a popular compression algorithm used in the Linux kernel, several open-source libraries, and some Samsung Android mobile devices. And the researcher who found the flaw says it also could affect some car and aircraft systems, as well as other consumer equipment running the embedded open-source software.

Patches for the integer overflow bug, which allows an attacker to cripple systems running the so-called Lempel-Ziv-Oberhumer (LZO) code with denial-of-service type attacks as well as remote code execution, were issued the past few days for the Linux kernel, as well as for various open-source media libraries. LZO handles high-speed compression and decompression of IP network traffic and files, typically images, in embedded systems.

"The most popular use is in image data, decompressing photos taken, raw images taken from a camera or video stream," says Don Bailey, mobile and embedded systems security expert with Lab Mouse Security, who discovered the vulnerability while manually auditing the code.

Bailey says the tricky part with this flaw is just how pervasive it may be in the consumer products that use the algorithm: it depends on the version of the specification, as well as how it was deployed in the system, so it's still unclear just how many consumer products are at risk.

He says there are several key products that incorporate LZO, including OpenVPN, Samsung Android devices with LZO, Apache Hadoop, Juniper Junos IPsec, mplayer2, gstreamer, and Illumos/Solaris BSD ZFS (lz4), but it's unclear whether the LZO deployments in these software programs are vulnerable. "Most likely, they are affected by DoS, if at all," he says.

It all depends on how the algorithm was implemented, he says, as well as the underlying architecture and memory layout of the application. So all LZO implementations should be evaluated for the risk of the bug, he says, as well as patched.

What's unnerving about the vulnerability is the potential danger it could pose to commercial systems, he says. "If it's running in an embedded car or airplane system it [could be abused to] cause a fault in the software and cause the microcontroller or embedded system to fail," Bailey says. "And depending on the architecture, that system may or may not fail."

It could also be used to execute code remotely via audiovisual media, he says. "If you're viewing a video, a [malicious] video will execute a shell on your computer, so you could get code execution by playing a video."

There are plenty of unknowns about the scope of the vulnerability. NASA's Mars Rover also runs LZO, but Bailey says since we don't know how the code was deployed there, there's no way to know if it's vulnerable, either.

Trey Ford, global security strategist for Rapid7, says LZO compression is pervasive. "You will find it in practically all variants of Linux and it may also affect Solaris, iOS, and Android. Note that some variation of the Linux kernel -- the foundation of an operating system -- is used in almost every Internet of Things device, regardless of function," he says.

But without specifics on the flaw and its presence in different implementations, it's tough to determine just how dangerous this may be, Ford says. "This vulnerability might permit bypass of signatures for bootloaders in the deployment of modified kernel, or perhaps a local-only kernel level exploit provided by a special dirty USB drive. It’s very hard to assess the possible impact without more detail," he says.

Meanwhile, Bailey says the flaw only scratches the surface of vulnerabilities out there in embedded systems. "We're going to see more of this as the Internet of Things becomes more prominent," he says.

And not all systems will even get the LZO patch or future patches, he says. "A lot of older projects don't adhere to licensing and may not be patching," he says. "Or organizations may have legacy systems and don't know the library is use in them."

The LZO bug has some parallels to Heartbleed, he says, but it's not immediately impactful as Heartbleed was. "It's almost as dangerous because it affects a wide number of platforms in a range of ways, with remote memory disclosure, DoS, and remote code execution with one bug," he says.

Bailey has posted a blog with technical details on the LZO vulnerability here.

Here's a rundown of the patches being issued for the flaw:

  • Linux kernel updates for the flaw were released today, and according to the developers of the project, all of the Linux distros have patches available.
  • Libav's versions with CamStudio and NuppelVideo decoders enabled and Matroska demuxer using LZO are affected, according to the open-source project's developers. So Libav 0.8 9 and 10 could be vulnerable to the bug, which is being patched this week.
  • Videolan and ffmpeg media players were patched this week.
  • Oberhumer, which develops the LZO Professional data compression library used in Rover, airplanes, card, mobile phones, operating systems, and gaming consoles, did not respond to press inquiries about a patch or which of its systems may be affected by the flaw.

But the organization has issued an update to the software, LZO 2.07. The update doesn't specify whether it fixes the LZO bug, however. Bailey says the site does note that there's a security issue fixed in the new version.

"Basically, if you do have a car, a mobile telephone, a computer, a console, or have been to hospital recently, there's a good chance that you have been in contact with our embedded data compression technology," Oberhumer says on its website.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/30/2014 | 7:47:37 AM
Re: Perhaps not actually reachable in the real world
That's a great question. There wasn't any specific guidance thus far on how to scan for it, but the recommendation was to update any apps that use the affected libraries, all of which now have patches. Don Bailey is planning to provide more details on the vuln beyond his initial post, so maybe we'll see more detection info there.
User Rank: Ninja
6/28/2014 | 10:00:00 PM
Re: Perhaps not actually reachable in the real world
Very true. Has there been any documentation/data on how to scan for this and what tools would be the most efficient to do so?

I am sure vulnerability scanners  would be able to but thus far has there been any that have stepped up to say that they can quickly and passively scan for this? Or has this been dismissed because the quantity of people this could effect has been difficult to calculate?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/27/2014 | 7:26:16 AM
Re: Long elapse of time
This isn't the first open-source vuln and it won't be the last, for sure. Patching is always a headache, but even moreso when an open source tool is used in so many places and in so many iterations. Some products won't ever get patched, and many users won't even know their product (based on whatever vulnerable open source tool) is at risk. No easy solutions here. 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/27/2014 | 7:14:50 AM
Re: Perhaps not actually reachable in the real world
Indeed, it doesn't mean every single LZO implementation is affected. As Bailey says, each implementation needs to be evaluated for the flaw.
User Rank: Apprentice
6/27/2014 | 3:45:03 AM
Perhaps not actually reachable in the real world
The severity of this issue needs to be tempered with the evaluation that most products do not ship with a configuration that allows the issue to be triggered:

Debunking the LZ4 "20 years old bug" myth

User Rank: Ninja
6/26/2014 | 10:02:42 PM
Long elapse of time
Interesting the this vulnerability didn't have similar attributes as other vulnerabilities. Otherwise I feel vulnerability scanners would have picked this up in a 20 year span.

I know in the article this states that the hole is fixed in the next security release, but is there anyone with outside knowledge of the vulnerability know what changes were made to effectively close the hole? 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.