Vulnerability

13 New Vulnerabilities in BMC Firmware Let Hackers Launch Remote Attacks on OT & IoT Networks

BMC (Baseboard Management Controller) firmware from Lanner has been found to contain over a dozen vulnerabilities that could allow remote attacks to be launched against OT and IoT networks.

As a result of analyzing an IPMC from Lanner Electronics (a Taiwanese vendor), Nozomi Networks discovered 13 vulnerabilities that affected the IAC-AST2500 network interface.

In server motherboards, these BMCs are commonly available as a service processor (SoC) that integrates with the server peripherals.

Using this kind of tool, it is possible to monitor and manage a host system remotely and to also perform low-level system operations, such as flashing firmware and controlling the power supply, remotely.

Vulnerabilities Found

Researchers discovered thirteen vulnerabilities that exist in the web interface of the IAC-AST2500A, which are listed below:-

  1. CVE-2021-26727: spx_restservice SubNet_handler_func Multiple Command Injections and Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  2. CVE-2021-26728: spx_restservice KillDupUsr_func Command Injection and Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  3. CVE-2021-26729: spx_restservice Login_handler_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  4. CVE-2021-26730: spx_restservice Login_handler_func Subfunction Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  5. CVE-2021-26731: spx_restservice modifyUserb_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
  6. CVE-2021-26732: spx_restservice First_network_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
  7. CVE-2021-26733: spx_restservice FirstReset_handler_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  8. CVE-2021-44776: spx_restservice SubNet_handler_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
  9. CVE-2021-44467: spx_restservice KillDupUsr_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  10. CVE-2021-44769: TLS Certificate Generation Function Improper Input Validation, CVSS v3.1 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
  11. CVE-2021-46279: Session Fixation and Insufficient Session Expiration, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)
  12. CVE-2021-45925: Username Enumeration, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
  13. CVE-2021-4228: Hard-coded TLS Certificate, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

Except for CVE-2021-4228, which affects version 1.00.0, all of the issues affect version 1.10.0 of the standard firmware. According to the CVSS scoring system, there are four flaws that are rated as ten out of ten.

Attack Chain

In addition to network appliances, this company also provides rugged computing platforms and rugged network appliances that are designed to withstand harsh environments.

AMI’s BMC remote management firmware is used by several tech giants and here below we have mentioned them:-

  • Asus
  • Dell
  • HP
  • Lenovo
  • Gigabyte
  • Nvidia

It is possible to control both the host and the BMC from within the Lanner expansion card by using a web application, which comes with the expansion card.

As a consequence of the following two flaws, an unauthenticated attacker may be able to execute RCE on a BMC with root privileges by exploiting the vulnerabilities:-

  • CVE-2021-44467
  • CVE-2021-26728

If the user wishes to terminate any other active session on the logged-in account, the web application will ask the user through a confirmation dialog during the login process.

There is a POST request that is used to implement this functionality, and it is authenticated using the following request:-

  • /api/KillDupUsr

While this is completely regulated by the “KillDupUsr_func,” it’s a function of the following service:-

  • spx_restservice

This function does not verify the user session, despite the QSESSIONID cookie being present in the POST request. Unauthenticated attackers can exploit this flaw (CVE-2021-44467) to end the active sessions of other users with impunity, causing a DoS condition to occur.

Recommendation

The vendor, Lanner developed updated firmware versions for the IAC-AST2500A after receiving the security report regarding these 13 vulnerabilities.

There is a strict dependency between the appliance in use and the patched version that is required. So, in order to receive the appropriate package, Lanner customers were advised to contact their technical support department. 

It is recommended to enforce network access control and firewall rules if a user is not able to patch their appliances. This will prevent this asset from being able to access the network from outside the organization.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

54 mins ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

14 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

15 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

18 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

18 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

22 hours ago