spx_restservice Login_handler_func Command Injection and Multiple Stack-Based Buffer Overflows

Vulnerability

Command injection and multiple stack-based buffer overflow vulnerabilities exist in the Login_handler_func function of the spx_restservice component in Lanner IAC-AST2500A standard firmware version 1.10.0. The flaws allow an attacker to inject arbitrary commands or overflow buffers by sending specially crafted requests to the BMC's REST API, without requiring any prior authentication [1][2].

Exploitation

An unauthenticated remote attacker can exploit these vulnerabilities by sending malicious HTTP requests to the BMC's REST service. The attacker does not need any network position beyond reachability of the BMC, nor any user interaction. By crafting inputs that trigger command injection or stack buffer overflows in the Login_handler_func, the attacker can execute arbitrary code on the BMC [1][2].

Impact

Successful exploitation grants the attacker arbitrary code execution with root privileges on the BMC. From this position, the attacker can fully compromise the BMC and potentially abuse its privileged access to the managed host, leading to complete compromise of confidentiality, integrity, and availability of both the BMC and the host system [1][2].

Mitigation

Lanner has released updated BMC firmware versions that fix the issue; these are available from Lanner technical support [2]. Asset owners should apply the firmware update as soon as possible. Until patched, network segmentation and restricting access to the BMC's management interface to trusted networks can reduce exposure [1].