Microsoft Alert: This Forgotten Open Source Web Server May Allow Hackers to “Sound” Access to Your System

Microsoft is sounding the alarm about a very specific cybersecurity threat that serves as a warning to all companies about the security of the open source software (OSS) supply chain.

The Microsoft Threat Intelligence Center (MSTIC) has launched its own investigation into an April 2022 report from security solutions maker Recorded Future regarding a “probably Chinese state-sponsored” threat actor that has been targeting India’s energy sector for two years.

Recorded Future listed more than a dozen Network Indicators of Compromise (IOCs) observed between the end of 2021 and the first quarter of 2022. They were used in 38 breaches against multiple organizations in the Indian energy sector.

The Boa web server was discontinued in 2005

Noting that the last related activity was in October 2022, Microsoft says its researchers have identified a “vulnerable component on all IP addresses published as IOCs” by Record Future and found evidence of a “supply chain risk that could affect millions of organizations and entities.”

“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and device login screens. Although discontinued in 2005, the Boa web server continues to be deployed by various vendors across a number of popular IoT devices (internet of things) and software development kits (SDKs).If developers do not manage the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by harvesting information from files.

The Boa web server, a free software project, was discontinued in 2005. But 17 years later, it is still present in a number of popular IoT devices and software development kits (SDKs), according to MSTIC.

Microsoft suspects that Boa will remain popular in IoT devices

“Microsoft estimates that the Boa servers were running on IP addresses on the CIO list published by Recorded Future at the time of the report’s publication, and that the attack on the power grid targeted vulnerable IoT devices running Boa,” Microsoft said.

The Boa web server is often used to access settings and management consoles as well as device login screens. However, since Boa is no longer maintained, devices or SDKs that still use it will harbor all known vulnerabilities since the date of its retirement.

Microsoft suspects that Boa remains popular in IoT devices due to its presence in popular SDKs that contain system-on-chip (SOC) features in microchips used in low-power devices like routers.

“These vulnerabilities could allow attackers to execute code remotely”

A good example is RealTek’s SDKs used in SOCs and supplied to companies that manufacture network gateways such as routers, access points and repeaters. Critical bug CVE-2021-35395 affected RealTek’s Jungle SDK, which included a Boa-based management interface. Although RealTek has released patches for the SDK, some manufacturers may not have included them in firmware updates. So there is a supply chain risk that Microsoft is concerned about.

According to Microsoft, attackers could exploit web server vulnerabilities to gain access to networks by harvesting information from files. In addition, organizations can use network devices without knowing that they are running services using Boa.

“While fixes for RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include fixes for Boa vulnerabilities. “Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” Microsoft points out.

“These vulnerabilities could allow attackers to execute code remotely after gaining access to the device by reading the device’s ‘passwd’ file or by accessing sensitive URIs on the web server to extract credentials for a user. Additionally, these vulnerabilities require no authentication to be exploited, which makes them attractive targets.”


Leave a Comment