Flaw in Aged Boa Web Server Threatens Supply Chain

Microsoft may have retired the Boa web server in 2005, but that hasn’t stopped widespread use—and now the company is saying a vulnerability in the server’s open source component has been exploited by bad actors, targeting the energy industry and underscoring the continued vulnerability of the supply chain.

While investigating “electrical grid intrusion activity [that] implicated common IoT devices as the vector used to gain a foothold into operational technology (OT) networks and deploy malicious payloads” reported by Recorded Future, Microsoft “identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices,” according to a Microsoft Security Threat Intelligence blog post.

“In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” the researchers said.

The vulnerable component was traced to the Boa web server; the component in question is “often used to access settings and management consoles and sign-in screens in devices,” Microsoft researchers noted, adding that different vendors continue to implement Boa across a variety of IoT devices and popular software development kits (SDKs).

Boa’s continued development in IoT devices could be attributed to its inclusion in popular SDKs, “which contain essential functions that operate system-on-chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to supply chain vulnerabilities,” Microsoft said.

“Popular SDKs, like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points and repeaters,” the researchers noted. “Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets and move laterally on networks.”

And, “without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” Microsoft wrote. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server and that firmware updates and downstream patches do not address its known vulnerabilities.”

The company pointed out that “while patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities.”

The servers “are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” Microsoft said. “These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the ‘passwd’ file from the device or accessing sensitive URIs in the web server to extract a user’s credentials. Moreover, these vulnerabilities require no authentication to exploit, making them attractive targets.” That makes them particularly dangerous.

“Age-old vulnerabilities such as this provide a jumping-off point for attackers looking to move laterally to more sensitive areas by abusing the identity attack surface,” said Sharon Nachshony, security researcher at Silverfort. “With access to critical areas inside OT environments, their activities can quickly become significantly more impactful.”

“There is a long-standing supply chain risk to IoT and OT environments from legacy technology,” Nachshony said, which is why it’s critical to stay current with updates and fixes. “While hard to manage, given the abundance of such technology in critical industries, a rigorous patching regime is essential.”

In addition to patching, Microsoft recommended using device discovery and classification, extending vulnerability and risk detection beyond the firewall, reducing the attack surface, using antivirus scanning and configuring detection rules to identify malicious activity.

But Sounil Yu, CISO at JupiterOne, likened software to food past its expiration date and noted it should be treated accordingly. “Some of it is poisoned with vulnerabilities. Some of it has expired (past the date that it might sicken you if you consume it),” said Yu. “Boa meets both conditions. Perhaps we should more stringently apply another old food adage: If in doubt, throw it out.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson