back to article GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear

Researchers have uncovered a vulnerability in the GoAhead web server software – embedded in Internet of Things devices – that can be potentially remotely exploited to hijack gadgets. The flaw, designated CVE-2017-17562, allows an attacker to inject evil code to vulnerable devices and take control of the hardware and spy on …

  1. Frank Bitterlich
    Thumb Up

    When BS meets PR...

    "Most GoAhead customers do not use CGI as GoAhead has better, faster, smaller internal alternatives," a spokesperson told El Reg.

    read: "We couldn't be bothered to make the standard (CGI) interface more secure, because we have brewed up our own interface, which is better. It's secure, trust us. We know how to make thing secure."

    If you're using kit that uses a vulnerable version of GoAhead...

    Easy to find out for the average user of some Chinese webcam.

    , and uses dynamically linked CGI programs, ...

    Even easier to find out.

    then you'll need to install the fix by hand...

    install fix by hand [Search]

    About 67.800.000 results (0,40 seconds)

    or pester the machine's manufacturer for a firmware update.

    OK, to help you with this, as a complimentary service, here is the Chinese version of "I need a software upgrade":

    我需要一个软件升级

    Good luck!

    1. mob590

      Re: When BS meets PR...

      The security researcher disclosed the issue to use (Embedthis) over 180 days ago and have worked with us to ensure any manufacturers that need to patch can get updates into the field before publicly disclosing the issue. They are to be commended for how they handled the issue. We have provided patches to the open source community and commercial customers with support over the past 180 days. That patch has been integrated into updates since then.

      Few GoAhead customers use CGI, but that does not excuse the vulnerability. It merely scopes the set of vulnerable sites. The Shodan search does not accurately capture that set as it lists any GoAhead site. We believe the total number of affected sites is much much smaller.

  2. mob590

    Detail on the set of vulnerable sites

    The security researcher disclosed the issue to us (Embedthis) over 180 days ago and have worked with us to ensure any manufacturers that need to patch can get updates into the field before publicly disclosing the issue. They are to be commended for how they handled the issue. We have provided patches to the open source community and commercial customers with support over the past 180 days. That patch has been integrated into updates since then.

    Few GoAhead customers use CGI, but that does not excuse the vulnerability. It merely scopes the set of vulnerable sites. The Shodan search does not accurately capture that set as it lists any GoAhead site. We believe the total number of affected sites is much much smaller.

    Michael O'Brien, Embedthis.

    1. Frank Bitterlich

      Re: Detail on the set of vulnerable sites

      My point was that patching vulns on IoT components simply does not work well. The patch will typically arrive on a tiny fraction of affected systems because the companies embedding it in their devices (a) don't give a f**k, (b) are ignorant, or (c) simply don't have a way to reach their customers after purchase. In most cases: all of the above.

      If you sell a desktop or mobile OS, a flaw is bad but can be patched. If it is inside a component of IoT or embedded gear, it can't, for all practical purposes. That's why it is of such critical importance to get it right the first time – before the gear is built and sold. And too few companies are aware of this. S**t happens – but in this area, if you haven't done your utmost to prevent this, you're letting down your users.

      That's my view - take it, or downvote it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019