Faults in controllers leave IoT and OT devices vulnerable

Research conducted by Nozomi Networks Labs with a particular focus on Internet of Things (IoT) and Operational Technologies (OT) devices has revealed 13 security vulnerabilities in Baseboard Management Controllers (BMCs). By exploiting these flaws, attackers can remotely execute code with privileges, gaining control of the managed host.

These controllers (BMCs) are supplementary System-on-Chips (SOCs) used in remote monitoring and management. Due to the dedicated network interface and association with critical hardware components (e.g. motherboard chipset), BMCs can perform fully remote system operations such as keyboard and mouse interaction directly from bootstrap, system power control, BIOS firmware reflash, and others.

Previously found only in server motherboards, today BMCs can also be adopted by IoT and OT devices. One of the suppliers of this type of solution is Taiwanese Lanner specialises in embedded applications and provides the IAC-AST2500A expansion board with BMC functionality and MegaRAC SP-X firmware from American Megatrends (AMI). This expansion board features a Web application that can fully control the managed hosts and the BMC itself.

There were 13 vulnerabilities found in the IAC-AST2500A Web interface affecting version 1.10.0 of the standard Lanner IAC-AST2500 firmware, except one (CVE-2021-4228) found in version 1.00.0. Of that total, five are classified as critical. Other flaws were also discovered but are still fixed and will be released later by Nozomi Networks Labs.

Based on two vulnerabilities (CVE-2021-44467 and CVE-2021-26728), it is possible to initiate attack chains in which the attacker executes code remotely with privileges.

After sharing all vulnerabilities with Lanner, the vendor has developed updated BMC firmware versions for the IAC-AST2500A that resolve all the issues described by Nozomi Networks Labs. The patched version strictly depends on the device in use, so it is recommended to contact Lanner technical support to receive the appropriate package.

Suppose it is not possible to apply the patch to the affected devices. In that case, Nozomi Networks Labs recommends using firewall or network access control rules to restrict the reach only to trusted personnel or to monitor network traffic through intrusion detection systems actively.

Nozomi Networks Labs warns that BMCs are an exciting way to conveniently monitor and manage systems without requiring physical access, both in the IT field and in the IoT and OT domains. However, this convenience is gained at the expense of a broader attack surface that can generate more risk if not adequately protected.

More vulnerabilities, now in SDK

A report published by Recorded Future in April 2022 detailed suspicious intrusion activity on India’s power grid, involving standard IoT devices as a vector to gain a foothold on OT networks and deploy malicious code.

In investigating this attack activity, Microsoft researchers identified a vulnerable component and found evidence of supply chain risks that could affect millions of organisations and devices.

Microsoft pointed out that the vulnerable component is the Boa web server, used to access settings, management consoles and login screens on devices. Despite being discontinued in 2005, this server continues to be used in IoT device development. One reason for this may be its inclusion in popular SDKs with essential functions that operate SOCs implemented on microchips. Vulnerable components such as Boa servers and SDKs are often distributed within devices, contributing to spreading vulnerabilities in supply chains.

Data from the Microsoft Defender Threat Intelligence platform identified more than 1 million Boa server components exposed on the Internet worldwide during one week.

Without maintenance, known vulnerabilities in the Boa web server make it easy for attackers to gain silent access to networks and gather information. In addition, many users may not know that their devices use this discontinued server and that firmware updates and patches do not address known vulnerabilities.

Microsoft recommends the following guidelines for maintaining network security:

• Patch vulnerable devices where possible.

• Use device discovery and classification capabilities to identify those with vulnerable components and define workflows to apply appropriate patches.

• Extend vulnerability and risk detection beyond the firewall.

• Reduce the attack surface by eliminating unnecessary connections from IoT devices to the Internet.

• Use segmentation to prevent attackers from moving laterally across networks and compromising more assets after breaking in. Critical IoT and network devices should be isolated with firewalls.

• Perform proactive antivirus scanning to identify malicious payloads on devices.

• Configure detection rules to identify malicious activity wherever possible.