13 New Vulnerabilities in BMC Firmware Let Hackers Launch Remote Attacks on OT & IoT Networks

BMC (Baseboard Management Controller) firmware from Lanner has been found to contain over a dozen vulnerabilities that could allow remote attacks to be launched against OT and IoT networks.

As a result of analyzing an IPMC from Lanner Electronics (a Taiwanese vendor), Nozomi Networks discovered 13 vulnerabilities that affected the IAC-AST2500 network interface.

In server motherboards, these BMCs are commonly available as a service processor (SoC) that integrates with the server peripherals.

Using this kind of tool, it is possible to monitor and manage a host system remotely and to also perform low-level system operations, such as flashing firmware and controlling the power supply, remotely.

EHA

Vulnerabilities Found

Researchers discovered thirteen vulnerabilities that exist in the web interface of the IAC-AST2500A, which are listed below:-

  1. CVE-2021-26727: spx_restservice SubNet_handler_func Multiple Command Injections and Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
  2. CVE-2021-26728: spx_restservice KillDupUsr_func Command Injection and Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
  3. CVE-2021-26729: spx_restservice Login_handler_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
  4. CVE-2021-26730: spx_restservice Login_handler_func Subfunction Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
  5. CVE-2021-26731: spx_restservice modifyUserb_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) 
  6. CVE-2021-26732: spx_restservice First_network_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) 
  7. CVE-2021-26733: spx_restservice FirstReset_handler_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 
  8. CVE-2021-44776: spx_restservice SubNet_handler_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) 
  9. CVE-2021-44467: spx_restservice KillDupUsr_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 
  10. CVE-2021-44769: TLS Certificate Generation Function Improper Input Validation, CVSS v3.1 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) 
  11. CVE-2021-46279: Session Fixation and Insufficient Session Expiration, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) 
  12. CVE-2021-45925: Username Enumeration, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 
  13. CVE-2021-4228: Hard-coded TLS Certificate, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) 

Except for CVE-2021-4228, which affects version 1.00.0, all of the issues affect version 1.10.0 of the standard firmware. According to the CVSS scoring system, there are four flaws that are rated as ten out of ten.

Attack Chain

In addition to network appliances, this company also provides rugged computing platforms and rugged network appliances that are designed to withstand harsh environments.

AMI’s BMC remote management firmware is used by several tech giants and here below we have mentioned them:-

  • Asus
  • Dell
  • HP
  • Lenovo
  • Gigabyte
  • Nvidia

It is possible to control both the host and the BMC from within the Lanner expansion card by using a web application, which comes with the expansion card.

As a consequence of the following two flaws, an unauthenticated attacker may be able to execute RCE on a BMC with root privileges by exploiting the vulnerabilities:-

  • CVE-2021-44467
  • CVE-2021-26728

If the user wishes to terminate any other active session on the logged-in account, the web application will ask the user through a confirmation dialog during the login process.

There is a POST request that is used to implement this functionality, and it is authenticated using the following request:-

  • /api/KillDupUsr

While this is completely regulated by the “KillDupUsr_func,” it’s a function of the following service:-

  • spx_restservice

This function does not verify the user session, despite the QSESSIONID cookie being present in the POST request. Unauthenticated attackers can exploit this flaw (CVE-2021-44467) to end the active sessions of other users with impunity, causing a DoS condition to occur.

Recommendation

The vendor, Lanner developed updated firmware versions for the IAC-AST2500A after receiving the security report regarding these 13 vulnerabilities.

There is a strict dependency between the appliance in use and the patched version that is required. So, in order to receive the appropriate package, Lanner customers were advised to contact their technical support department. 

It is recommended to enforce network access control and firewall rules if a user is not able to patch their appliances. This will prevent this asset from being able to access the network from outside the organization.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.