Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks

Over a dozen security flaws have been discovered in baseboard
management controller (BMC^[1]) firmware from Lanner
that could expose operational technology (OT) and internet of
things (IoT) networks to remote attacks.

BMC refers to a specialized service processor, a system-on-chip
(SoC), that’s found in server motherboards and is used for remote
monitoring and management of a host system, including performing
low-level system operations such as firmware flashing^[2]
and power control.

Nozomi Networks, which analyzed an Intelligent Platform
Management Interface (IPMC^[3]) from Taiwanese vendor
Lanner Electronics, said it uncovered 13 weaknesses affecting
IAC-AST2500^[4].

All the issues affect version 1.10.0 of the standard firmware,
with the exception of CVE-2021-4228, which impacts version 1.00.0.
Four of the flaws (from CVE-2021-26727 to CVE-2021-26730) are rated
10 out of 10 on the CVSS scoring system.

In particular, the industrial security company found that
CVE-2021-44467, an access control bug in the web interface, could
be chained with CVE-2021-26728, a buffer overflow flaw, to achieve
remote code execution on the BMC with root privileges.

“When also considering that all processes run with root
privileges on the device, the combined weaknesses enable an
unauthenticated attacker to completely compromise both the BMC and
the managed host,” the company said^[5]
in a write-up published last week.

Lanner has since released an updated firmware that addresses the
vulnerabilities in question following responsible disclosure.

“BMCs represent an attractive way to conveniently monitor and
manage computer systems without requiring physical access, in the
IT as well as in the OT/IoT domain,” the researchers said.

“Nevertheless, their usability comes at the expense of a broader
attack surface, and that may lead to an increase of the overall
risk if they are not adequately protected.”