spx_restservice SubNet_handler_func Broken Access Control

Vulnerability

The SubNet_handler_func function in the spx_restservice component of Lanner Inc IAC-AST2500A standard firmware version 1.10.0 suffers from a broken access control vulnerability. The code path is reachable by any unauthenticated network request targeting this REST endpoint.

Exploitation

An unauthenticated remote attacker needs only network access to the affected BMC's REST API. By sending a crafted HTTP request to the SubNet_handler_func handler, the attacker can arbitrarily modify the security access rights assigned to the KVM (Keyboard, Video, Mouse) and Virtual Media features. No prior authentication, user interaction, or special privileges are required [1], [2].

Impact

Successful exploitation allows the attacker to change the access control configuration for KVM and Virtual Media functionalities. While the vulnerability itself does not directly disclose sensitive information or enable code execution, it undermines the security policy of the BMC, potentially granting unauthorized remote access to video output or virtual CD/DVD/floppy drives. The CVSS v3.1 score is 6.5 (medium) with a confidentiality impact of none, integrity impact of low, and availability impact of low [2].

Mitigation

Lanner has released updated BMC firmware versions that fix the issue; affected users should obtain the patched firmware from Lanner support [2]. No workarounds are documented in the available references. If patching is not immediately possible, network segmentation and strict access control lists should be applied to limit exposure of the BMC management interface to trusted hosts only.