top of page
  • IPG

Vulnerabilities in BMC Firmware Affect OT/IoT Device Security

A Baseboard Management Controller (BMC) is a supplementary System-on-Chip designed for remote monitoring and management of a computer. Due to this dedicated network interface and tight coupling with critical hardware components (e.g. motherboard chipset), BMCs can perform fully remote low-level system operations, such as keyboard-and-mouse interaction straight from the bootstrap, system power control, BIOS firmware reflash, etc.

In the past, BMCs were only found in IT server motherboards, whereas vendors are now broadening the scope of BMCs to operational technology (OT) and internet of things (IoT) sectors. One such vendor is Lanner Inc., a Taiwanese brand specializing in embedded applications. Notably, during our research, we analyzed Lanner IAC-AST2500A, an expansion card that enables BMC functionalities on Lanner appliances. IAC-AST2500A’s firmware is based on the American Megatrends (AMI) MegaRAC SP-X solution, a popular BMC firmware also utilized by brands such as Asus, Dell, Gigabyte, HP, Lenovo, or nVidia.

Among the available network services, the expansion card features a web application through which users can fully control the managed host as well as the BMC itself. Figure 1 depicts a screenshot of the interface.

Vulnerabilities Found

By analyzing the web interface of the IAC-AST2500A, we found thirteen vulnerabilities, as listed below:

  • CVE-2021-26727: spx_restservice SubNet_handler_func Multiple Command Injections and Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

  • CVE-2021-26728: spx_restservice KillDupUsr_func Command Injection and Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

  • CVE-2021-26729: spx_restservice Login_handler_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

  • CVE-2021-26730: spx_restservice Login_handler_func Subfunction Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

  • CVE-2021-26731: spx_restservice modifyUserb_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

  • CVE-2021-26732: spx_restservice First_network_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

  • CVE-2021-26733: spx_restservice FirstReset_handler_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

  • CVE-2021-44776: spx_restservice SubNet_handler_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

  • CVE-2021-44467: spx_restservice KillDupUsr_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

  • CVE-2021-44769: TLS Certificate Generation Function Improper Input Validation, CVSS v3.1 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

  • CVE-2021-46279: Session Fixation and Insufficient Session Expiration, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

  • CVE-2021-45925: Username Enumeration, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

  • CVE-2021-4228: Hard-coded TLS Certificate, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

These vulnerabilities affect version 1.10.0 of the standard firmware of Lanner IAC-AST2500, except for CVE-2021-4228 which was found on version 1.00.0.

Attack Chain Example: CVE-2021-44467 and CVE-2021-26728

CVE-2021-44467 and CVE-2021-26728 describe a possible attack chain whereby an unauthenticated attacker can achieve Remote Code Execution (RCE) with root privileges on the BMC. During the login process, the web application asks through a confirmation dialog if the user w

3 views0 comments

Simple. Powerful. Cybersecurity.

IPG’s GearBoxTM is the first cybersecurity tool designed to secure and protect the Internet of Things (IoT).

bottom of page