Security News > 2022 > November > Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks

Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks
2022-11-28 10:07

Over a dozen security flaws have been discovered in baseboard management controller firmware from Lanner that could expose operational technology and internet of things networks to remote attacks.

BMC refers to a specialized service processor, a system-on-chip, that's found in server motherboards and is used for remote monitoring and management of a host system, including performing low-level system operations such as firmware flashing and power control.

Nozomi Networks, which analyzed an Intelligent Platform Management Interface from Taiwanese vendor Lanner Electronics, said it uncovered 13 weaknesses affecting IAC-AST2500.

Four of the flaws are rated 10 out of 10 on the CVSS scoring system.

In particular, the industrial security company found that CVE-2021-44467, an access control bug in the web interface, could be chained with CVE-2021-26728, a buffer overflow flaw, to achieve remote code execution on the BMC with root privileges.

Lanner has since released an updated firmware that addresses the vulnerabilities in question following responsible disclosure.


News URL

http://thehackernews.com/2022/11/over-dozen-new-bmc-firmware-flaws.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-10-24 CVE-2021-44467 Unspecified vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0
A broken access control vulnerability in the KillDupUsr_func function of spx_restservice allows an attacker to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition, if an input parameter is correctly guessed.
network
low complexity
lannerinc
7.5
2022-10-24 CVE-2021-26728 Out-of-bounds Write vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0
Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root).
network
low complexity
lannerinc CWE-787
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
BMC 14 0 13 13 12 38