Microsoft finds Boa web server vulnerable SDK component, leading to supply chain risks across IoT, OT environments

Microsoft researchers identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices. The vulnerable component was found to be the Boa web server, often used to access settings and management consoles and sign-in screens in devices. The popularity of Boa web servers is especially concerning as Boa has been formally discontinued since 2005.

The reveal came following an investigation by the team into the attack activity into suspected electrical grid intrusion activity, following an April 2022 report published by Recorded Future, which implicated compromise of often poorly secured, common IoT devices as the vector used to gain a foothold into operational technology (OT) networks and deploy malicious payloads, Microsoft researchers wrote in a post this week. “Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” they added. 

Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access to secure networks and devices, according to the post. “External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries. Attacks on software and hardware supply chains, like Log4J and SolarWinds, have highlighted the importance of visibility across device components and proactively securing networks,” they added. 

Microsoft said that as attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. 

The researchers also revealed that those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities, according to the researchers. The Boa web server is implemented across devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens.

“Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week,” the researchers revealed.

The Boa web servers remain pervasive in the development of IoT devices, which could be a reason for this to be included in SDKs, which contain essential functions that operate the system on chip (SOC) implemented in microchips, the researchers said. “Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to supply chain vulnerabilities.” 

Popular SDKs like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters, according to the post. “Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks. While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities,” it added. 

Boa servers are affected by several known vulnerabilities, including arbitrary file access and information disclosure, the researchers said. “These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the ‘passwd’ file from the device or accessing sensitive URIs in the web server to extract a user’s credentials. Moreover, these vulnerabilities require no authentication to exploit, making them attractive targets,” they added. 

Microsoft researchers also said that the popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. “Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated,” they added. 

The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected before the attack allows the attackers to have a much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.

Microsoft recommends that organizations and network operators patch vulnerable devices whenever possible to reduce exposure risks across the organization, utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments and extend vulnerability and risk detection beyond the firewall with platforms. Customers can identify internet-exposed infrastructure running Boa web server components in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable.

The researchers also called for organizations to reduce the attack surface by eliminating unnecessary internet connections to IoT devices in the network and applying network segmentation to prevent an attacker from moving laterally and compromising assets after the intrusion. IoT and critical device networks should be isolated with firewalls. They also urged organizations to use proactive antivirus scanning to identify malicious payloads on devices and configure detection rules to identify malicious activity whenever possible. 

Microsoft also suggested adopting a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure.

The energy sector has been targeted by cybersecurity adversaries globally. Last month, news reports identified that the Hive ransomware-as-a-service (RaaS) group has begun leaking data stolen from India’s Tata Power Energy Company. Less than two weeks back, the hacker group claimed responsibility for a cyber attack against Tata Power that was confirmed by the company.

Earlier this year, the World Economic Forum (WEF) said that the cyberattack on the European oil refining hubs of Amsterdam-Rotterdam-Antwerp (ARA) has considerably disrupted the loading and unloading of refined product cargoes amid a continental energy crisis. Cyber attacks have lately targeted port facilities, oil transport and storage facilities, and more recently, a communications company across Europe.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.