Discontinued Boa web servers still pose a threat to the supply chain • The Register

Microsoft warns that systems using the long-defunct Boa web server could be at risk of attack after a series of intrusion attempts into power grid operations in India likely exploited vulnerabilities in the technology.

Those affected may not be aware that their devices are running services that use the discontinued Boa web server and that firmware updates and downstream patches do not address the known vulnerabilities

Researchers at Microsoft’s Security Threat Intelligence unit examined an April report by cybersecurity firm Recorded Future on the 2020 intrusion attempts into India’s power grid and more recently a national emergency call system and the Indian subsidiary of a global logistics company.

Recorded Future attributed the power grid attacks to a Chinese threat group called RedEcho, which used the ShadowPad backdoor malware to compromise IoT devices.

The Microsoft researchers who looked into the report discovered a vulnerable component – the Boa web server – on the IP addresses listed as Indicators of Compromise (IOC). They wrote in their own analysis this week that they “found evidence of a supply chain risk that can affect millions of organizations and devices.”

Boa is an open source web server developed for embedded applications and used to access settings, management consoles and login screens in devices. It was phased out in 2005 but is still used by vendors in a number of IoT devices and popular SDKs, they wrote.

You may not even know it’s happening

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to sneak into networks by gathering information from files,” the researchers write. “In addition, those affected may be unaware that their devices are running services that use the discontinued Boa web server and that firmware updates and downstream patches are not addressing the known vulnerabilities.”

In this case, Microsoft reviewed Recorded Future’s IP addresses that were included in the list of IOCs and associated many with IoT devices such as routers that contained unpatched vulnerabilities. All published IP addresses were compromised by various attackers using various tactics, including downloading a variant of the Mirai IoT botnet malware, attempts to use default credentials for brute force attacks, and attempts to execute shell commands.

“Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeline of the published report, indicating that Boa is still being targeted as an attack vector,” the analysts write.

Boa is still widely used, with Microsoft discovering more than 1 million internet-exposed Boa server components around the world. It’s particularly common in IoT devices like routers and cameras.

One reason could be that Boa is used in SDKs that are not always patched even when the IoT device firmware is updated. It is also difficult to tell whether device components can or have been updated. An example is RealTek’s SDKs, which include Boa and are used in SoCs by companies that make gateway devices such as routers, access points, and repeaters.

In recent years, attackers have targeted devices using RealTek’s SDKs.

Known Boa web server vulnerabilities include CVE-2017-9833 and CVE-2021-33558, which could allow attackers to remotely execute code after gaining access to the device by exploiting its “passwd” Read file or steal user credentials after accessing sensitive URIs from the web server. These vulnerabilities can be exploited without requiring user authentication.

The ability to collect data from critical infrastructure networks without being detected can lead to attacks that are highly disruptive, cost millions of dollars, and affect millions of people and businesses.

“The popularity of the Boa web server demonstrates the potential risk of compromise of an insecure supply chain, even when security best practices are applied to devices on the network,” the researchers write. “Upgrading IoT device firmware doesn’t always patch SDKs or specific ones [SoC] components and there is limited visibility into the components and whether they can be updated.”

Vulnerabilities in the software supply chain have been highlighted by security breaches at SolarWinds and Kaseya in recent years, and amplified by the Log4j vulnerability. In its annual data breach report, Verizon found that 62 percent of attacks that involve breaching devices or systems began with cybercriminals exploiting vulnerabilities in partner systems. ®