Researchers with Microsoft are warning that the Boa web server poses a security supply chain risk to Internet of Things (IoT) devices. Despite being discontinued and having various security flaws, the web server is continually used in a wide range of routers and cameras, as well as software development kits (SDKs), to access management consoles and device sign-in screens.
Microsoft identified the vulnerable open-source component when investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where attackers used IoT devices as a way to gain a foothold on operational technology (OT) networks. Upon closer look, Microsoft found that Boa web servers were running on all IP addresses that were published as IoCs in Recorded Future’s analysis. Microsoft researchers said the web server, discontinued in 2005, posed a security supply chain risk impacting millions of organizations and devices - and they identified 1 million internet-exposed Boa server components globally over the span of a week.
“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” according to Microsoft Security Threat Intelligence in a Tuesday analysis. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”
The attacks on Indian critical infrastructure detailed by Recorded Future started in 2020 and were observed as recently as October, said Microsoft. While looking at the IP addresses listed as IoCs by Recorded Future, Microsoft researchers said that half of these addresses returned suspicious HTTP response headers that could be associated with deploying the malware used in the attack, and 10 percent of all the active addresses returning the headers were related to critical industries.
Microsoft researchers found that the electric grid attack targeted exposed IoT devices running Boa web servers - and they continue to see attackers attempting to exploit Boa flaws, showing it still poses as an attack risk. Some known Boa web server vulnerabilities include a high-severity information disclosure bug (CVE-2021-33558) and a high-severity arbitrary file access flaw (CVE-2017-9833), which enable threat actors to remotely execute code and require no authentication to exploit.
“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files."
Despite the severity of these flaws, downstream patch management is extremely difficult both due to the discontinuation of the web server and because of the complex nature of how it is built into the IoT device supply chain. In many cases, Boa web servers are bundled into SDKs, which are then used as part of IoT devices. These devices are then finally sold to end users, such as corporate or manufacturing companies.
This poses a number of issues. Both impacted device vendors and end users may be completely unaware that their devices are running the discontinued Boa web component, as there is limited visibility into impacted components within IoT devices and whether they can be updated. At the same time, updating IoT device firmware does not always fix the specific vulnerable components, in this case flaws in the Boa web servers.
“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” according to researchers. “In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.”
The complex IoT environment and its barriers for patching have been previously highlighted by other IoT security issues. When researchers found nine flaws dubbed Name:Wreck in the popular TCP/IP stacks used by connected devices, for instance, they warned that many affected devices are not centrally managed and some vulnerable devices running the vulnerable firmware are mission-critical (such as medical devices or industrial control systems), meaning that they would be more difficult to take offline while applying patches.
Despite these challenges, Microsoft researchers recommended that organizations patch vulnerable devices whenever possible, use device discovery to identify vulnerable components across devices and eliminate unnecessary internet connections to IoT devices in the network.
“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations,” said researchers. “This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.”