spx_restservice modifyUserb_func Command Injection and Multiple Stack-Based Buffer Overflows

Vulnerability

A command injection and multiple stack-based buffer overflows exist in the modifyUserb_func function of spx_restservice in Lanner IAC-AST2500A BMC firmware version 1.10.0. The vulnerable code path is reachable when an authenticated user sends a crafted request to the BMC's REST API, specifically to endpoints that invoke modifyUserb_func. The issues reside in how user-supplied input is handled without proper validation or bounds checking, leading to both command injection and buffer overflow conditions [1][2].

Exploitation

An authenticated remote attacker with administrative privileges on the BMC can craft a malicious HTTP request targeting the vulnerable modifyUserb_func function. By supplying an overly long or specially crafted input parameter, the attacker can overflow a stack buffer or inject arbitrary commands into a system call. The attacker does not require any user interaction; the attack is performed directly over the network [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code with root privileges on the BMC. Since the BMC has high privileges over the managed host, the attacker can potentially abuse this to compromise the managed host as well, achieving a full system compromise with severe confidentiality, integrity, and availability impacts [1][2].

Mitigation

Lanner has released updated BMC firmware versions that fix the issue; users should contact Lanner technical support to obtain the patched firmware. Asset owners are advised to restrict network access to the BMC management interface to trusted hosts and apply the vendor-supplied update as soon as possible [1][2].