Nozomi detects 13 BMC firmware vulnerabilities on Lanner hardware exposing OT, IoT devices to RCE attacks

Industrial cybersecurity company Nozomi Networks has identified thirteen vulnerabilities affecting baseboard management controllers (BMCs) of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X, five of which are rated as critical. By abusing these vulnerabilities, an unauthenticated attacker may achieve remote code execution (RCE) with root privileges on the BMC, compromising it and gaining control of the managed host. 

The reveal by Nozomi Labs comes following research over the last year on the security of BMCs, focusing on OT (operational technology) and IoT (internet of things) devices. The researchers have also uncovered other vulnerabilities during their research whose patching is still in progress and thus cannot be disclosed. 

BMCs were previously only found in IT server motherboards, whereas vendors are now broadening the scope of BMCs to cover the OT and IoT sectors. Nevertheless, their usability comes at the expense of a broader attack surface, and that may lead to an increase in the overall risk if they are not adequately protected. 

During its research, Nozomi Labs analyzed Lanner IAC-AST2500A, an expansion card that enables BMC functionalities on Lanner appliances, Nozomi said in its blog post. “IAC-AST2500A’s firmware is based on the American Megatrends (AMI) MegaRAC SP-X solution, a BMC firmware also utilized by brands, such as Asus, Dell, Gigabyte, HP, Lenovo, or NVIDIA,” it added.

The Lanner hardware is IPMI 2.0 compliant and installed in the OPMA slot in the company’s network appliances. It supports Gigabit management port and provides individual management alone with a higher security level. With Lanner’s IPMI add-on cards, network appliances can be managed from a central location, enabling remote configuration, installation, reboot, and shutdown through firewalls and NATs.

Nozomi said that the BMC is a supplementary system-on-chip designed for remote monitoring and management of a computer. “Due to this dedicated network interface and tight coupling with critical hardware components (e.g. motherboard chipset), BMCs can perform fully remote low-level system operations, such as keyboard-and-mouse interaction straight from the bootstrap, system power control, BIOS firmware reflash, etc,” it added. 

Among the available network services, the expansion card features a web application through which users can fully control the managed host as well as the BMC itself, Nozomi said.

Two of the vulnerabilities identified a possible attack chain whereby an unauthenticated attacker can achieve RCE with root privileges on the BMC. “During the login process, the web application asks through a confirmation dialog if the user wants to terminate any other active session on the logged-in account,” Nozomi said.

The functionality is implemented using an authenticated POST request, which is ultimately handled by the ‘KillDupUsr_func’ function of ‘spx_restservice,’ according to the research. “Although the POST request contains a QSESSIONID cookie, the function does not perform any verification checks on the user session. This flaw enables unauthenticated attackers to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition. Further issues can be observed by proceeding with the analysis,” it added. 

After sharing all vulnerabilities with Lanner through a responsible disclosure process, the vendor developed updated BMC firmware versions for the IAC-AST2500A that resolve all issues described in this blog, Nozomi said. 

“The correct patched version strictly depends on the appliance in use; thus, we urge Lanner customers to contact technical support to receive the appropriate package,” the post said. “If asset owners are unable to patch their appliances, we advise enforcing firewall or network access control rules to restrict the network reachability of the web interface to trusted personnel only, or to actively monitor the network traffic via intrusion detection systems,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.