Nozomi Networks researchers discovered that the firmware of Lanner Electronics' IAC-AST2500 baseboard management controllers is being impacted by 13 security vulnerabilities, which could be exploited to enable remote attacks against operational technology and internet of things
networks, reports The Hacker News
Twelve of the flaws affect Lanner IAC-AST2500 firmware version 1.10.0, while only version 1.00.0 is affected by CVE-2021-4228, according to the report, which noted that four of the bugs were given a 10 on the CVSS scoring system. Threat actors could also chain an access control vulnerability, tracked as CVE-2021-44467, with the buffer overflow bug, tracked as CVE-2021-26728, to allow remote code execution with root privileges.
Updated firmware addressing the issues has since been released by Lanner.
"BMCs represent an attractive way to conveniently monitor and manage computer systems without requiring physical access, in the IT as well as in the OT/IoT domain. Nevertheless, their usability comes at the expense of a broader attack surface, and that may lead to an increase of the overall risk if they are not adequately protected," said researchers.