Boa, an open-source web server suitable for embedded applications that was discontinued since 2005 is now becoming a security threat because of the complex nature of how it was built into the internet of things (IoT) device supply chain. A recent report by tech major Microsoft said that hackers are exploiting vulnerabilities in the software to target organizations in the energy sector.
Microsoft researchers revealed in an analysis that a vulnerable open-source component in the Boa web server, is used widely in a range of routers and security cameras as well as popular software development kits (SDKs), a set of tools that allow developers to write or use an existing framework to develop applications for a given platform.
Despite the software being discontinued a nearly two decades ago, Microsoft reports that attackers are continuing their attempts to exploit the flaws of the Boa web servers which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833). An unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.
“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have a much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” Microsoft said.
Microsoft’s initial discovery of the vulnerable component was made while it was investigating a suspended Indian electric grid intrusion in 2020. This followed a report published in February 2021 by the threat intelligence company Recorded Future which reported on intrusion activity targeting operational assets within India's power grid that it said is likely to be attributed to a Chinese state-sponsored threat activity group that was tracked as RedEcho.
In April 2022, the research group published a new report describing attacks from another Chinese state-sponsored threat actor using IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.
Researchers said, the damage caused by this vulnerable component could be immense since Microsoft has identified one million internet-exposed Boa server components globally over the span of one week.
Further, due to often being included in popular SDKs, the presence of a Boa server in a product is unknown by many of the users. Realtek SDK is one example of a software development kit that is provided to companies that make routers, access points, and other gateway devices and includes the Boa web server.
Microsoft has also warned about the supply chain risk posed by flaws in widely-used network components as it continues to witness attacks targeting Boa vulnerabilities.