A recent alarming report by Microsoft reveals the risks attached to common Internet of Things (IoT) devices using the discontinued Boa web server. Hackers are exploiting vulnerabilities in the software to target organizations in the energy sector.
On Tuesday, Microsoft researchers revealed in an analysis their discovery of a vulnerable open-source component in the Boa web server, used widely in a range of routers and security cameras as well as popular software development kits (SDKs).
Despite the software’s retirement in 2005, it remained popular and is now becoming a crisis because the complex nature of how it was built into the IoT device supply chain is making it difficult to mitigate the Boa flaws.
Microsoft reports that attackers are continuing their attempts to exploit the flaws of the Boa web servers which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833). An unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.
“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have a much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” Microsoft said.
Microsoft’s initial discovery of the vulnerable component was made while it was investigating a suspended Indian electric grid intrusion. This followed a report in 2021 by the threat intelligence company Recorded Future detailing that a Chinese threat group was targeting operational assets within India’s power grid.
In April 2022, the firm published a new report describing attacks from another Chinese state-sponsored threat actor using IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.
Needless to say, the damage caused by this vulnerable component could be immense since Microsoft has identified one million internet-exposed Boa server components globally over the span of one week.
Another major concern is the fact that due to often being included in popular SDKs, the presence of a Boa server in a product is unknown by many of the users. Realtek SDK is one example of a software development kit that is provided to companies that make routers, access points, and other gateway devices and includes the Boa web server.
Microsoft warns about the supply chain risk posed by flaws in widely-used network components as it continues to witness attacks targeting Boa vulnerabilities.