spx_restservice KillDupUsr_func Broken Access Control

Vulnerability

A broken access control vulnerability exists in the KillDupUsr_func function of spx_restservice on the Lanner IAC-AST2500A Baseboard Management Controller (BMC) running standard firmware version 1.10.0 [1][2]. The function is reachable over the network without authentication, but an attacker must correctly guess a specific input parameter to trigger the arbitrary termination of active sessions [2].

Exploitation

An unauthenticated remote attacker can send crafted requests to the vulnerable KillDupUsr_func endpoint. By guessing the required input parameter (e.g., a session identifier or user token), the attacker can cause the function to terminate active sessions of other users, leading to a Denial-of-Service (DoS) condition [2]. The attack requires no special privileges or user interaction [2].

Impact

Successful exploitation results in an unauthenticated remote attacker being able to arbitrarily terminate active sessions of any other user, making the device inaccessible to legitimate administrators [2]. The impact is limited to availability (DoS) with no effect on confidentiality or integrity; the CVSS score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) [2].

Mitigation

Updated BMC firmware versions that fix the issue are available from Lanner technical support [2]. No workaround is documented in the public references. Asset owners should contact Lanner to obtain the patched firmware and apply it to affected devices [1][2].