ID CVE-2017-9765
Summary Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document, aka Devil's Ivy. NOTE: the large document would be blocked by many common web-server configurations on general-purpose computers.
References
Vulnerable Configurations
  • cpe:2.3:a:genivia:gsoap:2.8.18
    cpe:2.3:a:genivia:gsoap:2.8.18
  • cpe:2.3:a:genivia:gsoap:2.8.19
    cpe:2.3:a:genivia:gsoap:2.8.19
  • cpe:2.3:a:genivia:gsoap:2.8.20
    cpe:2.3:a:genivia:gsoap:2.8.20
  • cpe:2.3:a:genivia:gsoap:2.8.21
    cpe:2.3:a:genivia:gsoap:2.8.21
  • cpe:2.3:a:genivia:gsoap:2.8.22
    cpe:2.3:a:genivia:gsoap:2.8.22
  • cpe:2.3:a:genivia:gsoap:2.8.23
    cpe:2.3:a:genivia:gsoap:2.8.23
  • cpe:2.3:a:genivia:gsoap:2.8.24
    cpe:2.3:a:genivia:gsoap:2.8.24
  • cpe:2.3:a:genivia:gsoap:2.8.25
    cpe:2.3:a:genivia:gsoap:2.8.25
  • cpe:2.3:a:genivia:gsoap:2.8.26
    cpe:2.3:a:genivia:gsoap:2.8.26
  • cpe:2.3:a:genivia:gsoap:2.8.27
    cpe:2.3:a:genivia:gsoap:2.8.27
  • cpe:2.3:a:genivia:gsoap:2.8.28
    cpe:2.3:a:genivia:gsoap:2.8.28
  • cpe:2.3:a:genivia:gsoap:2.8.29
    cpe:2.3:a:genivia:gsoap:2.8.29
  • cpe:2.3:a:genivia:gsoap:2.8.30
    cpe:2.3:a:genivia:gsoap:2.8.30
  • cpe:2.3:a:genivia:gsoap:2.8.31
    cpe:2.3:a:genivia:gsoap:2.8.31
  • cpe:2.3:a:genivia:gsoap:2.8.32
    cpe:2.3:a:genivia:gsoap:2.8.32
  • cpe:2.3:a:genivia:gsoap:2.8.33
    cpe:2.3:a:genivia:gsoap:2.8.33
  • cpe:2.3:a:genivia:gsoap:2.8.34
    cpe:2.3:a:genivia:gsoap:2.8.34
  • cpe:2.3:a:genivia:gsoap:2.8.35
    cpe:2.3:a:genivia:gsoap:2.8.35
  • cpe:2.3:a:genivia:gsoap:2.8.36
    cpe:2.3:a:genivia:gsoap:2.8.36
  • cpe:2.3:a:genivia:gsoap:2.8.37
    cpe:2.3:a:genivia:gsoap:2.8.37
  • cpe:2.3:a:genivia:gsoap:2.8.38
    cpe:2.3:a:genivia:gsoap:2.8.38
  • cpe:2.3:a:genivia:gsoap:2.8.39
    cpe:2.3:a:genivia:gsoap:2.8.39
  • cpe:2.3:a:genivia:gsoap:2.8.40
    cpe:2.3:a:genivia:gsoap:2.8.40
  • cpe:2.3:a:genivia:gsoap:2.8.41
    cpe:2.3:a:genivia:gsoap:2.8.41
  • cpe:2.3:a:genivia:gsoap:2.8.42
    cpe:2.3:a:genivia:gsoap:2.8.42
  • cpe:2.3:a:genivia:gsoap:2.8.43
    cpe:2.3:a:genivia:gsoap:2.8.43
  • cpe:2.3:a:genivia:gsoap:2.8.44
    cpe:2.3:a:genivia:gsoap:2.8.44
  • cpe:2.3:a:genivia:gsoap:2.8.45
    cpe:2.3:a:genivia:gsoap:2.8.45
  • cpe:2.3:a:genivia:gsoap:2.8.46
    cpe:2.3:a:genivia:gsoap:2.8.46
  • cpe:2.3:a:genivia:gsoap:2.8.47
    cpe:2.3:a:genivia:gsoap:2.8.47
  • GENIVIA gSOAP 2.8.0
    cpe:2.3:a:genivia:gsoap:2.8.0
  • cpe:2.3:a:genivia:gsoap:2.8.1
    cpe:2.3:a:genivia:gsoap:2.8.1
  • cpe:2.3:a:genivia:gsoap:2.8.2
    cpe:2.3:a:genivia:gsoap:2.8.2
  • cpe:2.3:a:genivia:gsoap:2.8.3
    cpe:2.3:a:genivia:gsoap:2.8.3
  • cpe:2.3:a:genivia:gsoap:2.8.4
    cpe:2.3:a:genivia:gsoap:2.8.4
  • cpe:2.3:a:genivia:gsoap:2.8.5
    cpe:2.3:a:genivia:gsoap:2.8.5
  • cpe:2.3:a:genivia:gsoap:2.8.6
    cpe:2.3:a:genivia:gsoap:2.8.6
  • cpe:2.3:a:genivia:gsoap:2.8.7
    cpe:2.3:a:genivia:gsoap:2.8.7
  • cpe:2.3:a:genivia:gsoap:2.8.8
    cpe:2.3:a:genivia:gsoap:2.8.8
  • cpe:2.3:a:genivia:gsoap:2.8.9
    cpe:2.3:a:genivia:gsoap:2.8.9
  • cpe:2.3:a:genivia:gsoap:2.8.10
    cpe:2.3:a:genivia:gsoap:2.8.10
  • cpe:2.3:a:genivia:gsoap:2.8.11
    cpe:2.3:a:genivia:gsoap:2.8.11
  • cpe:2.3:a:genivia:gsoap:2.8.12
    cpe:2.3:a:genivia:gsoap:2.8.12
  • cpe:2.3:a:genivia:gsoap:2.8.13
    cpe:2.3:a:genivia:gsoap:2.8.13
  • cpe:2.3:a:genivia:gsoap:2.8.14
    cpe:2.3:a:genivia:gsoap:2.8.14
  • cpe:2.3:a:genivia:gsoap:2.8.15
    cpe:2.3:a:genivia:gsoap:2.8.15
  • cpe:2.3:a:genivia:gsoap:2.8.16
    cpe:2.3:a:genivia:gsoap:2.8.16
  • cpe:2.3:a:genivia:gsoap:2.8.17
    cpe:2.3:a:genivia:gsoap:2.8.17
  • GENIVIA gSOAP 2.7.0
    cpe:2.3:a:genivia:gsoap:2.7.0
  • GENIVIA gSOAP 2.7.1
    cpe:2.3:a:genivia:gsoap:2.7.1
  • GENIVIA gSOAP 2.7.2
    cpe:2.3:a:genivia:gsoap:2.7.2
  • GENIVIA gSOAP 2.7.3
    cpe:2.3:a:genivia:gsoap:2.7.3
  • GENIVIA gSOAP 2.7.4
    cpe:2.3:a:genivia:gsoap:2.7.4
  • GENIVIA gSOAP 2.7.5
    cpe:2.3:a:genivia:gsoap:2.7.5
  • GENIVIA gSOAP 2.7.6
    cpe:2.3:a:genivia:gsoap:2.7.6
  • GENIVIA gSOAP 2.7.7
    cpe:2.3:a:genivia:gsoap:2.7.7
  • GENIVIA gSOAP 2.7.8
    cpe:2.3:a:genivia:gsoap:2.7.8
  • GENIVIA gSOAP 2.7.9
    cpe:2.3:a:genivia:gsoap:2.7.9
  • GENIVIA gSOAP 2.7.10
    cpe:2.3:a:genivia:gsoap:2.7.10
  • GENIVIA gSOAP 2.7.11
    cpe:2.3:a:genivia:gsoap:2.7.11
  • GENIVIA gSOAP 2.7.12
    cpe:2.3:a:genivia:gsoap:2.7.12
  • GENIVIA gSOAP 2.7.13
    cpe:2.3:a:genivia:gsoap:2.7.13
  • GENIVIA gSOAP 2.7.14
    cpe:2.3:a:genivia:gsoap:2.7.14
  • GENIVIA gSOAP 2.7.15
    cpe:2.3:a:genivia:gsoap:2.7.15
  • GENIVIA gSOAP 2.7.16
    cpe:2.3:a:genivia:gsoap:2.7.16
  • GENIVIA gSOAP 2.7.17
    cpe:2.3:a:genivia:gsoap:2.7.17
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-D2174C28ED.NASL
    description Security fix for CVE-2017-9765. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 102404
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102404
    title Fedora 26 : gsoap (2017-d2174c28ed) (Devil's Ivy)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1036.NASL
    description A vulnerability was discovered in gsoap, a library for the development of SOAP web services and clients, that may be exposed with a large and specific XML message over 2 GB in size. After receiving this 2 GB message, a buffer overflow can cause an open unsecured server to crash. Clients communicating with HTTPS with trusted servers are not affected. For Debian 7 'Wheezy', these problems have been fixed in version 2.8.7-2+deb7u1. We recommend that you upgrade your gsoap packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 101935
    published 2017-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101935
    title Debian DLA-1036-1 : gsoap security update (Devil's Ivy)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-842.NASL
    description This update for gsoap fixes the following security issue : - CVE-2017-9765: A remote attacker may have triggered a buffer overflow to cause a server crash (denial of service) after sending 2GB of a specially crafted XML message, or possibly have unspecified futher impact. (bsc#1049348)
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 102011
    published 2017-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102011
    title openSUSE Security Update : gsoap (openSUSE-2017-842) (Devil's Ivy)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_8745C67E7DD1416596E2FCF9DA2DC5B5.NASL
    description Senrio reports : Genivia gSOAP is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. A remote attacker may exploit this issue to execute arbitrary code in the context of the affected device. Failed attempts will likely cause a denial-of-service condition.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 101967
    published 2017-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101967
    title FreeBSD : gsoap -- remote code execution via via overflow (8745c67e-7dd1-4165-96e2-fcf9da2dc5b5) (Devil's Ivy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-FF06FF0EC9.NASL
    description Security fix for CVE-2017-9765. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 102407
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102407
    title Fedora 25 : gsoap (2017-ff06ff0ec9) (Devil's Ivy)
  • NASL family Misc.
    NASL id AXIS_DEVILS_IVY.NASL
    description The remote AXIS device is running a firmware version that is missing a security patch. It is, therefore, affected by a remote code execution vulnerability, known as Devil's Ivy, due to an overflow condition that exists in a third party SOAP library (gSOAP). An unauthenticated, remote attacker can exploit this, via an HTTP POST message exceeding 2GB of data, to trigger a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. An attacker who successfully exploits this vulnerability can reset the device to its factory defaults, change network settings, take complete control of the device, or reboot it to prevent an operator from viewing the feed.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 101810
    published 2017-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101810
    title AXIS gSOAP Message Handling RCE (ACV-116267) (Devil's Ivy)
refmap via4
bid 99868
misc
the hacker news via4
Last major update 19-07-2017 - 20:29
Published 19-07-2017 - 20:29
Last modified 16-09-2017 - 06:25
Back to Top