Hard-coded TLS Certificate

Vulnerability

The Lanner IAC-AST2500A BMC firmware version 1.00.0 uses a hard-coded TLS certificate by default. This allows an attacker to impersonate the device's HTTPS service if the certificate is known. The vulnerability is present in the standard firmware version 1.00.0 [2].

Exploitation

An unauthenticated remote attacker with network access to the device can perform a Man-in-the-Middle (MitM) attack. The attacker must be positioned on the network path between the user and the BMC, and the user must initiate an HTTPS connection. The attack complexity is high due to the need for precise timing and network position, and user interaction is required [2].

Impact

Successful exploitation allows the attacker to break the confidentiality and integrity of data exchanged via HTTPS. The attacker can intercept and modify traffic, potentially gaining access to sensitive information or injecting malicious content. The CVSS score is 5.8 (Medium) with scope change [2].

Mitigation

Updated BMC firmware versions that fix the issue are available from Lanner technical support. Users should contact Lanner to obtain the patched firmware. No workaround is mentioned in the references [2].