CyberWire Daily - Flagging firmware vulnerabilities. [Research Saturday]
Episode Date: January 28, 2023Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that ther...e are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities. The research can be found here: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
So a baseboard management controller, also known as a BMC,
it's used for remote monitoring and management of a computer.
That's Roya Gordon.
She's an OT and IoT security research evangelist at Nozomi Networks.
The research we're discussing today is titled
Vulnerabilities in BMC Firmware Affect OT and IoT Device Security.
And are there particular systems that they go in or are not included in?
So this was used in IT before, but now vendors are trying to expand this into IoT
and OT devices. Of course, like any type of remote control of a device that's far away,
you want to take advantage of that. It's very convenient. So now we're starting to see vendors
create things called expansion cards that bridge the gap between
physical devices and the internet. And that's kind of where our vulnerabilities come into play
because anything that's OT, IoT, and attached to the internet is vulnerable.
Well, let's dig in here. I mean, how does this affect OT and IoT installations?
I mean, how does this affect OT and IoT installations?
So with these expansion cards, it's giving the device a capability that it didn't previously have.
So expanding the capability.
So when our labs conducted the research, we found a vendor who makes these web application expansion cards that gives users root privileges at the device level. And although, again, this is
a very convenient piece of technology, we know anything connected to the internet is going to
get compromised. And that's kind of why we wanted to push this report out right away. I know this
is a part one. Part two is pending because we're still looking into this. And even if you look at
the report, we didn't delve into all 13
of the vulnerabilities. We only highlighted the critical ones. And I'm really excited to talk to
you about that today because once I was reading through this with the team, I'm like, wow, I think
that a lot of people need to understand what an attacker can do to OT and IoT devices if these vulnerabilities are exploited.
Well, let's jump right in. What are some of the highlights with some of the vulnerabilities that
you all found? Okay, so in our blog, you know, we do specify the different firmware versions that
are vulnerable. So that's key. We don't want to say like all of these devices and all of these expansion cards are vulnerable, but definitely mostly the version 1.10.0.
Now, one of the first and most concerning vulnerabilities is that it allows an attacker who possibly is using brute force. So maybe they're just guessing or using a tool to kind of break into
the login portal, or they can use stolen credentials. And we know there's a lot of
that circulating on the dark web. But once they attempt to log in, there's a prompt that pops up
asking if they want to terminate or override an ongoing session. This function does not provide any verification or checks at all.
So an attacker could essentially log in
and kill whatever sessions that's ongoing
and then be able to take control of the current session
and have access directly to whatever OT and IoT devices
that are associated with the expansion card.
And we're talking root privileges here, right?
Yes.
Well, let's go into some of the other things you found here.
What other things caught your eye?
So once they're in, an attacker could launch essentially a denial of service.
So they are denying whoever else had the session open from doing anything.
So it's essentially a denial of service.
Another vulnerability is a buffer overflow.
And that is a very common, what we called a common weakness enumeration.
If you look at a whole bunch of other vulnerabilities, you usually see remote code execution, buffer overflow.
And a buffer overflow is essentially when there is more
data than what the block of memory can hold. So the new data values rewrites the old data values.
And if an attacker is doing this, then they're embedding the new values with malicious commands.
It could be to erase files, to shut things down. But essentially, they can use that as a way to push malicious commands into OT, IoT devices.
And again, there's nothing that's stopping this from happening.
This isn't a problem with just this vendor.
This is just across the board, a common weakness that is in just a lot of devices. And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises
have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18%
year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com
slash security. Now, you all have been in contact with this particular vendor, yes?
Yes.
And what's the response been?
So we work very closely with our vendors.
And that's kind of why it took us a bit to publish this.
Because once we discover
these vulnerabilities, we're speaking with the vendor, they're verifying that they're
vulnerabilities, then they're working on the fix. And we can't publish these vulnerabilities without
there being a fix, because we'll just be telling threat hackers, hey, these are vulnerable,
and then they'll just go ahead and exploit. So it takes a bit of time. It takes a bit of working with the vendor. Again, that's why we're holding off on
part two, because there's fixes that's in the works. And once those fixes happen, then we can
go ahead and release the additional vulnerabilities that we found. But in our blog, we have links to
all 13 of the vulnerabilities. They're in the National Vulnerability Database.
So once you all click on the links,
it takes you to the description of the vulnerability,
the different CWEs that's linked to MITRE
that actually shows you how you can implement workarounds
to those CWEs.
But yeah, we have a very good relationship with the vendor.
And we also have the vendor review any of our technical content about vulnerabilities to make
sure that we're on the same page. We're not saying something that they don't agree with.
So yeah, it's a very good ongoing relationship with this vendor.
And just to be clear, you outlined in the research that the vendor is an organization called Lanner.
Yes. And what is their specialty?
So they create the expansion cards for the BMCs.
I see. Yeah, so that's their specialty. They're just trying to create the same kind of BMC
capability and extend that out to OT and IoT devices. But it has a web interface. And in our
blog, you can see the screenshots of everything. And again, it's convenient because you're able
to physically see what kinds of controls that you're implementing onto the OT and IoT device.
But again, we just need to make sure that things like logging in is secure and the memory buffer has alerts and it has blocks
and it's not going to rewrite the current data.
But again, really unique and good piece of technology.
And that's why our team, that's why we do what we do.
We're trying to help vendors create more secure products.
It's good to be technologically advanced,
but in a secure way.
So that's kind of why our team looked into this
as well. And of course, anything involving OT and IoT, any devices that are kind of bridging that
gap to the internet, we look into and we work with vendors on helping them secure it.
In your research, did you uncover any incidences of this being exploited?
uncover any incidences of this being exploited? No, we haven't seen this exploited in the wild.
Of course, you never know what's going on on the dark web, but we can't say that we know threat actors are exploiting this intentionally. But again, that's why we were rushing to make
sure we publish this so that the vulnerability can be patched.
It can be secured.
So there is a new version out.
But again, we're working with the vendor that's going to update and create another new version
that's going to address the additional vulnerabilities.
But no immediate threat as of now, as of what we know.
So what are your recommendations here?
I mean, I think there are the obvious steps if your equipment is from this provider, but is there broader advice too for folks who are taking advantage of this remote configuration capability with their own equipment?
really only for companies that are using this specific vendor. So we can't say that all expansion cards for BMCs are vulnerable because we haven't looked into those devices. But obviously,
first and foremost, get the newest version because it has addressed these vulnerabilities that we
found. So we would recommend updating the expansion card. Anytime we're publishing our research, we're publishing
the CVE, there is a patch or there's some type of update that the vendor has done. So we definitely
recommend whoever is using this Lanner expansion card with the vulnerable version number to update
it to the latest. But another tip that I usually advise is to look at all the common weakness
enumerations. They're the CWEs. They're the flaws that are usually associated with the
vulnerability. So what are the common things that threat actors do once they've exploited a device?
So when you click on the link to the different vulnerabilities, it's going to link you to NVD.
And then from there, you can further
look at the list of CWEs, click on those links. And when you go to MITRE, it's going to tell you
in detail any kind of workaround you need to do to make sure that a threat actor can't take
advantage of the buffer overflow function, or they're not able to do remote code execution.
There's additional small security that you can implement
so that if a threat actor
does exploit this,
they can't even take advantage
of some of those weaknesses.
Our thanks to Roya Gordon
from Nozomi Networks for joining us.
The research is titled, Vulnerabilities in BMC Firmware Affect OT and IoT Device Security.
We'll have a link in the show notes.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Thank you. security teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilby, and I'm
Dave Bittner. Thanks for listening.