Over the past year, Nozomi Networks Labs has conducted research on the security of Baseboard Management Controllers (BMCs), with a special focus on OT and IoT devices. In part one of this blog series, we reveal thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host. During our research, we uncovered other vulnerabilities whose patching is still in progress and thus cannot be disclosed as of yet; those will be covered in a follow-up blog post.
Our discussion starts with an introduction to BMCs and an illustration of the vulnerabilities discovered. We will then provide an example of how an attacker can abuse these issues to ultimately compromise the device, and conclude with remediations that asset owners can implement.
Baseboard Management Controllers (BMC) 101
A Baseboard Management Controller (BMC) is a supplementary System-on-Chip designed for remote monitoring and management of a computer. Due to this dedicated network interface and tight coupling with critical hardware components (e.g. motherboard chipset), BMCs can perform fully remote low-level system operations, such as keyboard-and-mouse interaction straight from the bootstrap, system power control, BIOS firmware reflash, etc.
In the past, BMCs were only found in IT server motherboards, whereas vendors are now broadening the scope of BMCs to operational technology (OT) and internet of things (IoT) sectors. One such vendor is Lanner Inc., a Taiwanese brand specializing in embedded applications. Notably, during our research, we analyzed Lanner IAC-AST2500A, an expansion card that enables BMC functionalities on Lanner appliances. IAC-AST2500A’s firmware is based on the American Megatrends (AMI) MegaRAC SP-X solution, a popular BMC firmware also utilized by brands such as Asus, Dell, Gigabyte, HP, Lenovo, or nVidia.
Among the available network services, the expansion card features a web application through which users can fully control the managed host as well as the BMC itself. Figure 1 depicts a screenshot of the interface.
By analyzing the web interface of the IAC-AST2500A, we found thirteen vulnerabilities, as listed below:
- CVE-2021-26727: spx_restservice SubNet_handler_func Multiple Command Injections and Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2021-26728: spx_restservice KillDupUsr_func Command Injection and Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2021-26729: spx_restservice Login_handler_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2021-26730: spx_restservice Login_handler_func Subfunction Stack-Based Buffer Overflow, CVSS v3.1 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2021-26731: spx_restservice modifyUserb_func Command Injection and Multiple Stack-Based Buffer Overflows, CVSS v3.1 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- CVE-2021-26732: spx_restservice First_network_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
- CVE-2021-26733: spx_restservice FirstReset_handler_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
- CVE-2021-44776: spx_restservice SubNet_handler_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
- CVE-2021-44467: spx_restservice KillDupUsr_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
- CVE-2021-44769: TLS Certificate Generation Function Improper Input Validation, CVSS v3.1 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
- CVE-2021-46279: Session Fixation and Insufficient Session Expiration, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)
- CVE-2021-45925: Username Enumeration, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
- CVE-2021-4228: Hard-coded TLS Certificate, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)
These vulnerabilities affect version 1.10.0 of the standard firmware of Lanner IAC-AST2500, except for CVE-2021-4228 which was found on version 1.00.0.
Attack Chain Example: CVE-2021-44467 and CVE-2021-26728
CVE-2021-44467 and CVE-2021-26728 describe a possible attack chain whereby an unauthenticated attacker can achieve Remote Code Execution (RCE) with root privileges on the BMC. During the login process, the web application asks through a confirmation dialog if the user wants to terminate any other active session on the logged-in account (Figure 2).
This functionality is implemented via an authenticated POST request to “/api/KillDupUsr”, which is ultimately handled by the “KillDupUsr_func” function of “spx_restservice”. This function begins as in Figure 3.
Although the POST request contains a QSESSIONID cookie, the function does not perform any verification checks on the user session. This flaw enables unauthenticated attackers to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition (CVE-2021-44467). Further issues can be observed by proceeding with the analysis (Figure 4).
At line 41, “strcat” is called to copy the content of “v9”, which contains the value of the externally controllable HTTP parameter “username”, into “dest”, a fixed-size buffer. No checks are done on the length of “v9” before executing the instruction, leading to a stack-based buffer overflow.
At line 46, a “safe_system” is called with “dest” as argument. Despite the name, it turned out to be possible to inject arbitrary OS commands in the string (for instance, a subshell command) that were executed by the device, leading to a command injection (CVE-2021-26728). When also considering that all processes run with root privileges on the device, the combined weaknesses enable an unauthenticated attacker to completely compromise both the BMC and the managed host.
After sharing all vulnerabilities with Lanner via a responsible disclosure process, the vendor developed updated BMC firmware versions for the IAC-AST2500A that resolve all issues described in this blog. The correct patched version strictly depends on the appliance in use; thus, we urge Lanner customers to contact technical support to receive the appropriate package.
If asset owners are unable to patch their appliances, we advise enforcing firewall or network access control rules to restrict the network reachability of the web interface to trusted personnel only, or to actively monitor the network traffic via intrusion detection systems.
BMCs represent an attractive way to conveniently monitor and manage computer systems without requiring physical access, in the IT as well as in the OT/IoT domain. Nevertheless, their usability comes at the expense of a broader attack surface, and that may lead to an increase of the overall risk if they are not adequately protected. In this blog, we have presented the first results of our analysis of BMCs in OT and IoT devices and discussed thirteen vulnerabilities, five of which are rated as critical.
During our assessment, we uncovered further vulnerabilities, that are still in the process of being fixed and will be disclosed at a later date. We recommend that our readers regularly monitor our Nozomi Networks Labs page for the release of the follow-up blogpost, which will describe the remaining issues.