Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:50 PM
Connect Directly

Decades-Old Vulnerability Threatens Internet Of Things

A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week.

A 20-year-old bug has been discovered in a version of a popular compression algorithm used in the Linux kernel, several open-source libraries, and some Samsung Android mobile devices. And the researcher who found the flaw says it also could affect some car and aircraft systems, as well as other consumer equipment running the embedded open-source software.

Patches for the integer overflow bug, which allows an attacker to cripple systems running the so-called Lempel-Ziv-Oberhumer (LZO) code with denial-of-service type attacks as well as remote code execution, were issued the past few days for the Linux kernel, as well as for various open-source media libraries. LZO handles high-speed compression and decompression of IP network traffic and files, typically images, in embedded systems.

"The most popular use is in image data, decompressing photos taken, raw images taken from a camera or video stream," says Don Bailey, mobile and embedded systems security expert with Lab Mouse Security, who discovered the vulnerability while manually auditing the code.

Bailey says the tricky part with this flaw is just how pervasive it may be in the consumer products that use the algorithm: it depends on the version of the specification, as well as how it was deployed in the system, so it's still unclear just how many consumer products are at risk.

He says there are several key products that incorporate LZO, including OpenVPN, Samsung Android devices with LZO, Apache Hadoop, Juniper Junos IPsec, mplayer2, gstreamer, and Illumos/Solaris BSD ZFS (lz4), but it's unclear whether the LZO deployments in these software programs are vulnerable. "Most likely, they are affected by DoS, if at all," he says.

It all depends on how the algorithm was implemented, he says, as well as the underlying architecture and memory layout of the application. So all LZO implementations should be evaluated for the risk of the bug, he says, as well as patched.

What's unnerving about the vulnerability is the potential danger it could pose to commercial systems, he says. "If it's running in an embedded car or airplane system it [could be abused to] cause a fault in the software and cause the microcontroller or embedded system to fail," Bailey says. "And depending on the architecture, that system may or may not fail."

It could also be used to execute code remotely via audiovisual media, he says. "If you're viewing a video, a [malicious] video will execute a shell on your computer, so you could get code execution by playing a video."

There are plenty of unknowns about the scope of the vulnerability. NASA's Mars Rover also runs LZO, but Bailey says since we don't know how the code was deployed there, there's no way to know if it's vulnerable, either.

Trey Ford, global security strategist for Rapid7, says LZO compression is pervasive. "You will find it in practically all variants of Linux and it may also affect Solaris, iOS, and Android. Note that some variation of the Linux kernel -- the foundation of an operating system -- is used in almost every Internet of Things device, regardless of function," he says.

But without specifics on the flaw and its presence in different implementations, it's tough to determine just how dangerous this may be, Ford says. "This vulnerability might permit bypass of signatures for bootloaders in the deployment of modified kernel, or perhaps a local-only kernel level exploit provided by a special dirty USB drive. It’s very hard to assess the possible impact without more detail," he says.

Meanwhile, Bailey says the flaw only scratches the surface of vulnerabilities out there in embedded systems. "We're going to see more of this as the Internet of Things becomes more prominent," he says.

And not all systems will even get the LZO patch or future patches, he says. "A lot of older projects don't adhere to licensing and may not be patching," he says. "Or organizations may have legacy systems and don't know the library is use in them."

The LZO bug has some parallels to Heartbleed, he says, but it's not immediately impactful as Heartbleed was. "It's almost as dangerous because it affects a wide number of platforms in a range of ways, with remote memory disclosure, DoS, and remote code execution with one bug," he says.

Bailey has posted a blog with technical details on the LZO vulnerability here.

Here's a rundown of the patches being issued for the flaw:

  • Linux kernel updates for the flaw were released today, and according to the developers of the project, all of the Linux distros have patches available.
  • Libav's versions with CamStudio and NuppelVideo decoders enabled and Matroska demuxer using LZO are affected, according to the open-source project's developers. So Libav 0.8 9 and 10 could be vulnerable to the bug, which is being patched this week.
  • Videolan and ffmpeg media players were patched this week.
  • Oberhumer, which develops the LZO Professional data compression library used in Rover, airplanes, card, mobile phones, operating systems, and gaming consoles, did not respond to press inquiries about a patch or which of its systems may be affected by the flaw.

But the organization has issued an update to the software, LZO 2.07. The update doesn't specify whether it fixes the LZO bug, however. Bailey says the site does note that there's a security issue fixed in the new version.

"Basically, if you do have a car, a mobile telephone, a computer, a console, or have been to hospital recently, there's a good chance that you have been in contact with our embedded data compression technology," Oberhumer says on its website.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/30/2014 | 7:47:37 AM
Re: Perhaps not actually reachable in the real world
That's a great question. There wasn't any specific guidance thus far on how to scan for it, but the recommendation was to update any apps that use the affected libraries, all of which now have patches. Don Bailey is planning to provide more details on the vuln beyond his initial post, so maybe we'll see more detection info there.
User Rank: Ninja
6/28/2014 | 10:00:00 PM
Re: Perhaps not actually reachable in the real world
Very true. Has there been any documentation/data on how to scan for this and what tools would be the most efficient to do so?

I am sure vulnerability scanners  would be able to but thus far has there been any that have stepped up to say that they can quickly and passively scan for this? Or has this been dismissed because the quantity of people this could effect has been difficult to calculate?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/27/2014 | 7:26:16 AM
Re: Long elapse of time
This isn't the first open-source vuln and it won't be the last, for sure. Patching is always a headache, but even moreso when an open source tool is used in so many places and in so many iterations. Some products won't ever get patched, and many users won't even know their product (based on whatever vulnerable open source tool) is at risk. No easy solutions here. 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/27/2014 | 7:14:50 AM
Re: Perhaps not actually reachable in the real world
Indeed, it doesn't mean every single LZO implementation is affected. As Bailey says, each implementation needs to be evaluated for the flaw.
li'l ciso
li'l ciso,
User Rank: Strategist
6/27/2014 | 3:45:03 AM
Perhaps not actually reachable in the real world
The severity of this issue needs to be tempered with the evaluation that most products do not ship with a configuration that allows the issue to be triggered:

Debunking the LZ4 "20 years old bug" myth

User Rank: Ninja
6/26/2014 | 10:02:42 PM
Long elapse of time
Interesting the this vulnerability didn't have similar attributes as other vulnerabilities. Otherwise I feel vulnerability scanners would have picked this up in a 20 year span.

I know in the article this states that the hole is fixed in the next security release, but is there anyone with outside knowledge of the vulnerability know what changes were made to effectively close the hole? 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.