Decades-Old Vulnerability Threatens Internet Of Things

A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week.

A 20-year-old bug has been discovered in a version of a popular compression algorithm used in the
Linux kernel
, several open-source libraries, and some Samsung Android mobile devices. And the researcher who found the flaw says it also could affect some car and aircraft systems, as well as other consumer equipment running the embedded open-source software.
Patches for the integer overflow bug, which allows an attacker to cripple systems running the so-called Lempel-Ziv-Oberhumer (LZO) code with denial-of-service type attacks as well as remote code execution, were issued the past few days for the Linux kernel, as well as for various open-source media libraries. LZO handles high-speed compression and decompression of IP network traffic and files, typically images, in embedded systems.
The most popular use is in image data, decompressing photos taken, raw images taken from a camera or video stream, says Don Bailey, mobile and embedded systems security expert with Lab Mouse Security, who discovered the vulnerability while manually auditing the code.
Bailey says the tricky part with this flaw is just how pervasive it may be in the consumer products that use the algorithm: it depends on the version of the specification, as well as how it was deployed in the system, so its still unclear just how many consumer products are at risk.
He says there are several key products that incorporate LZO, including OpenVPN, Samsung Android devices with LZO, Apache Hadoop, Juniper Junos IPsec, mplayer2, gstreamer, and Illumos/Solaris BSD ZFS (lz4), but its unclear whether the LZO deployments in these software programs are vulnerable. Most likely, they are affected by DoS, if at all, he says.
It all depends on how the algorithm was implemented, he says, as well as the underlying architecture and memory layout of the application. So all LZO implementations should be evaluated for the risk of the bug, he says, as well as patched.
Whats unnerving about the vulnerability is the potential danger it could pose to commercial systems, he says. If its running in an embedded car or airplane system it [could be abused to] cause a fault in the software and cause the microcontroller or embedded system to fail, Bailey says. And depending on the architecture, that system may or may not fail.
It could also be used to execute code remotely via audiovisual media, he says. If youre viewing a video, a [malicious] video will execute a shell on your computer, so you could get code execution by playing a video.
There are plenty of unknowns about the scope of the vulnerability. NASAs Mars Rover also runs LZO, but Bailey says since we dont know how the code was deployed there, theres no way to know if its vulnerable, either.
Trey Ford, global security strategist for Rapid7, says LZO compression is pervasive. You will find it in practically all variants of Linux and it may also affect Solaris, iOS, and Android. Note that some variation of the Linux kernel -- the foundation of an operating system -- is used in almost every Internet of Things device, regardless of function, he says.
But without specifics on the flaw and its presence in different implementations, its tough to determine just how dangerous this may be, Ford says. This vulnerability might permit bypass of signatures for bootloaders in the deployment of modified kernel, or perhaps a local-only kernel level exploit provided by a special dirty USB drive. It’s very hard to assess the possible impact without more detail, he says.
Meanwhile, Bailey says the flaw only scratches the surface of vulnerabilities out there in embedded systems. Were going to see more of this as the Internet of Things becomes more prominent, he says.
And not all systems will even get the LZO patch or future patches, he says. A lot of older projects dont adhere to licensing and may not be patching, he says. Or organizations may have legacy systems and dont know the library is use in them.
The LZO bug has some parallels to Heartbleed, he says, but its not immediately impactful as Heartbleed was. Its almost as dangerous because it affects a wide number of platforms in a range of ways, with remote memory disclosure, DoS, and remote code execution with one bug, he says.
Bailey has posted a blog with technical details on the LZO vulnerability
here
.
Heres a rundown of the patches being issued for the flaw:
Linux kernel updates for the flaw were released today, and according to the developers of the project, all of the Linux distros have patches available.
Libavs versions with CamStudio and NuppelVideo decoders enabled and Matroska demuxer using LZO are affected, according to the open-source projects developers. So Libav 0.8 9 and 10 could be vulnerable to the bug, which is
being patched
this week.
Videolan and ffmpeg
media players were patched this week.
Oberhumer, which develops the LZO Professional data compression library used in Rover, airplanes, card, mobile phones, operating systems, and gaming consoles, did not respond to press inquiries about a patch or which of its systems may be affected by the flaw.
But the organization has issued
an update to the software, LZO 2.07
. The update doesnt specify whether it fixes the LZO bug, however. Bailey says the site does note that theres a security issue fixed in the new version.
Basically, if you do have a car, a mobile telephone, a computer, a console, or have been to hospital recently, theres a good chance that you have been in contact with our embedded data compression technology, Oberhumer says on its website.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Decades-Old Vulnerability Threatens Internet Of Things