spx_restservice First_network_func Broken Access Control

Vulnerability

A broken access control vulnerability exists in the First_network_func function of spx_restservice in Lanner Inc IAC-AST2500A standard firmware version 1.10.0. This allows an attacker to arbitrarily modify the network configuration of the BMC without proper authentication [1,2]. The affected firmware is based on the American Megatrends (AMI) MegaRAC SP-X solution [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the spx_restservice endpoint, specifically targeting the First_network_func function [2]. No authentication or user interaction is required. The attacker can then change the BMC's network configuration, such as altering the DNS server or gateway address [2]. The attack vector is over the network with low complexity [2].

Impact

Successful exploitation allows an unauthenticated remote attacker to arbitrarily change the network configuration of the BMC [2]. This could lead to denial of service by misconfiguring network settings, or potentially enable further attacks by redirecting traffic to attacker-controlled servers. The CVSS v3.1 score is 6.5 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating low integrity and availability impact [2].

Mitigation

Updated BMC firmware versions that fix the issue are available from Lanner technical support [1,2]. Asset owners should contact Lanner to obtain the patched firmware. No workaround is disclosed in the available references. The vulnerability was reported on October 21, 2022 [2].