Security News > 2022 > November > Still using a discontinued Boa web server? Microsoft warns of supply chain attacks
Those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.
Boa is an open-source web server designed for embedded applications and used to access settings, management consoles, and sign-in screens in devices.
"Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities."
Boa is still widely used, with Microsoft detecting more than 1 million internet-exposed Boa server components around the world.
Attackers over the past few years have targeted devices that use RealTek's SDKs. Among the known Boa web server vulnerabilities are CVE-2017-9833 and CVE-2021-33558, which could enable attackers to remotely run code after gaining access to the device by reading its "Passwd" file or stealing user credentials after access sensitive URIs in the web server.
"The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network," the researchers wrote.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/11/23/microsoft_boa_web_server/
Related news
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (source)
- Crafting Shields: Defending Minecraft Servers Against DDoS Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-27 | CVE-2021-33558 | Unspecified vulnerability in BOA 0.94.13 Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. | 7.5 |
| 2017-06-24 | CVE-2017-9833 | Path Traversal vulnerability in BOA 0.94.14.21 /cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. | 7.5 |