Researchers at industrial cybersecurity company Nozomi Networks have found over a dozen flaws in baseboard management controller (BMC) firmware. Using a specialized processor called a BMC, administrators may remotely manage and watch over a device without having access to its operating system or installed apps. Device reboots, operating system installations, firmware updates, system parameter monitoring, and a log analysis may all be done via the BMC.
Many BMC weaknesses have been discovered in recent years, and experts have warned that taking advantage of them might provide a remote attacker access to the target server and perhaps cause harm. However, most studies have focused on IT servers. The research by Nozomi Networks focused on a BMC that is employed by operational technology (OT) and IoT devices.
Security experts examined the IAC-AST2500A extension card from Lanner, a Taiwanese firm that specializes in the design and production of network appliances and rugged applied computing platforms, which provides BMC functionality on network appliances. The compromised card’s firmware is built on BMC remote management firmware from AMI, which is also employed by industry heavyweights including Asus, Lenovo, Dell, Gigabyte, HP, and Nvidia.
A web application that is included with the Lanner expansion card enables users to control both the host and the BMC completely. Cybersecurity researchers examined this online interface and found 13 vulnerabilities, including five major security weaknesses that may be used to execute arbitrary code.
The industrial cybersecurity company showed how two of the 13 vulnerabilities, a serious command injection flaw and a medium-severity broken access control problem, might be chained together by an unauthenticated attacker to provide remote code execution with root capabilities on the BMC. The cyber defense business said that Lanner had developed fixes to address the 13 vulnerabilities. However, it also mentioned that additional problems had been found during its research, and they are currently being addressed.