Username Enumeration

Vulnerability

Observable discrepancies in the login process of the Lanner IAC-AST2500A Baseboard Management Controller (BMC) running standard firmware version 1.10.0 allow an attacker to determine whether a given username is registered [2]. The firmware is based on the AMI MegaRAC SP-X solution [1]. The vulnerability exists in the authentication mechanism where the response differs depending on whether the username exists.

Exploitation

An unauthenticated remote attacker can send login requests with arbitrary usernames to the BMC's web interface or API. By analyzing the response (e.g., error messages, timing differences), the attacker can infer the existence of the username [2]. No prior authentication or special privileges are required; only network access to the BMC is needed.

Impact

Successful exploitation allows the attacker to enumerate valid usernames registered on the BMC. This information disclosure (low confidentiality impact) can be used as a stepping stone for further attacks, such as password guessing or targeted credential stuffing [2]. The CVSS score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [2].

Mitigation

Lanner has released updated BMC firmware versions that fix the issue; these are available from Lanner technical support [2]. Asset owners should contact Lanner to obtain the patched firmware. No workarounds are documented. The affected version is 1.10.0; upgrading to a fixed version is recommended.