Vulnerability Revealed in Some IoT Devices, At Least 500,000 Affected
The company has released a patch to fix the bug but it might take months to years for hardware vendors to incorporate it.
Earlier this week, security researchers from Australian company Elttam revealed a way to execute malicious code remotely on devices using the GoAhead web server package. Attackers can exploit this flaw if CGI is enabled and a CGI program is dynamically linked, which is a common configuration.
GoAhead is a tiny web server package created by Embedthis Software and is said to be used in products by Comcast, Oracle, D-Link, ZTE, HP, Siemens, Canon, and many others. It is popular with vendors as it can run on devices with limited resources. Many Internet of Things (IoT) devices, routers, printers, and other networking equipment make use of this package.
“Welcome to our security nightmare of convenience without proper configuration,” commented Cheryl Biswas, a cyber-security expert.
IoT malware like Mirai, Hajime, BrickerBot, Persirai, and others have been seen to exploit GoAhead flaws in the past year. Trend suggests that IoT malware authors will jump on this bug and start exploiting it in cyber-attacks, if they haven’t already.
A basic search on Shodan reveals that nearly 500,000 to 700,000 of the devices that were online were affected. The figure does not include devices that were offline or using an older version. So, the actual number might be even higher. Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
The company has released a patch to fix the bug but it might take months to years for hardware vendors to incorporate the GoAhead patch into a firmware update for all the affected devices, while devices that have reached their end-of –life date will not receive any updates.
The vulnerability is expected to cause big issues in the future. For example, Mirai turns networked devices that run on Linux into remotely controlled “bots” that can be used as part of a botnet in large-scale network attacks.
This isn’t the first vulnerability found in GoAhead. In March, security researchers Pierre Kim and Istvan Toth pointed out various flaws. Cybereason also found other GoAhead flaws back in 2014.
