Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks

Above a dozen security flaws have been identified in baseboard administration controller (BMC) firmware from Lanner that could expose operational technology (OT) and internet of points (IoT) networks to distant attacks.

BMC refers to a specialised provider processor, a technique-on-chip (SoC), which is identified in server motherboards and is used for remote checking and management of a host method, like doing very low-degree process functions this sort of as firmware flashing and ability command.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Nozomi Networks, which analyzed an Smart System Management Interface (IPMC) from Taiwanese vendor Lanner Electronics, reported it uncovered 13 weaknesses affecting IAC-AST2500.

All the issues have an effect on model 1.10. of the regular firmware, with the exception of CVE-2021-4228, which impacts edition 1.00.. 4 of the flaws (from CVE-2021-26727 to CVE-2021-26730) are rated 10 out of 10 on the CVSS scoring system.

In individual, the industrial security company uncovered that CVE-2021-44467, an access management bug in the web interface, could be chained with CVE-2021-26728, a buffer overflow flaw, to reach remote code execution on the BMC with root privileges.

“When also taking into consideration that all procedures operate with root privileges on the device, the merged weaknesses empower an unauthenticated attacker to totally compromise both the BMC and the managed host,” the enterprise stated in a create-up released past week.

Lanner has considering the fact that produced an current firmware that addresses the vulnerabilities in issue adhering to responsible disclosure.

“BMCs depict an attractive way to conveniently observe and take care of computer units without demanding actual physical obtain, in the IT as perfectly as in the OT/IoT domain,” the scientists reported.

“Nevertheless, their usability comes at the price of a broader attack floor, and that may well lead to an enhance of the over-all risk if they are not sufficiently safeguarded.”

Observed this short article appealing? Stick to THN on Fb, Twitter  and LinkedIn to read through extra exceptional content material we article.