IOT Server Software Vulnerability Found


Photo By Preechar Bowonkitwanchai

A flaw has recently been uncovered in the Internet of Things when researchers found a vulnerability in the GoAhead web server software. The flaw, designated as CVE-2017-17562, has the potential of being exploited to hijack gadgets.

The flaw allows hackers to inject codes into devices which they are then able to control and which may then be used to spy on their owners. The flawed software is used in the internet of things and is found in Linux-based routers, in home-based security cams, and other network-connected items.

Embedthis Software LLC, a company based in Seattle, USA, and maker of GoAhead, said that its code is "the world’s most popular, tiny embedded web server."

The vulnerability happens when GoAhead pre-version 3.6.5 generates dynamic web pages as a result of requests from browsers to CGI programs so that arbitrary environment variables are set for the CGI process from the HTTP request allowing an attacker to load malicious code. The CGI program has to be dynamically linkable for it to be exploited so that the malicious code will not work with devices that use statically linked binaries.

The flaw is limited to devices and servers that use CGI-based executables. "GoAhead users have been actively discouraged from using the slower, less secure CGI forms for at least 10 years. Most sites do not use it and are not vulnerable,” said a GoAhead spokesperson to El Rej. He went on to say that GoAhead has better internal alternatives which are smaller yet faster. 

It remains to be seen if GoAhead shall provide a fix for the said flaw, but experts advise setting aside the use of CGI-based platforms to avoid the possibility of hacking.