Todd Dunning - Sr. Product Manager
In Mid-July, a security vulnerability – the gSOAP/Devil’s Ivy threat -- was exposed that had a significant impact in our video security market. This is Pelco’s official statement shared with IPVM magazine (emphasis added):
Pelco by Schneider-Electric takes all Cyber Security threats seriously responds immediately to any reported or potential threat to take immediate and proactive corrective action.
As such, Pelco is aware of the recently discovered gSOAP vulnerability, and has performed extensive testing of that vulnerability on our product offerings. Specifically, we tested against the gSOAP vulnerability on Pelco’s IP camera product lines, and have found that our cameras are immune to the vulnerability. For our VMS systems products, gSOAP is not used, and therefore those products are also immune to this vulnerability.
You can read the IPVM article (subscription required) via this link and others below. Here is a high-level overview of the issue:
The vulnerability was discovered in Genivia’s gSOAP toolkit, which many video surveillance manufacturers use for ONVIF implementation. ONVIF requires SOAP. Genivia acknowledged the vulnerability in versions 2.7 to 2.8.47; the company issued a notification to download the latest gSOAP release, 2.8.48 or greater, to fix what they termed a “potential vulnerability that can be exposed with large and specific XML messages over 2GB.” That that buffer overflow, attacks can be mounted to the device itself.
Additional articles on the gSOAP/Devil’s Ivy Threat:
•Krebs on Security