Microsoft warns: This forgotten open-source web server could let hackers 'silently' gain access to your system

Users of affected network gateway appliances likely don't even know their router is running a web server that was discontinued 17 years ago.
Written by Liam Tung, Contributing Writer
Concerned serious doubtful man sitting near laptop and thinking
Image: Getty Images/iStockphoto

Microsoft has raised an alarm about a peculiar cybersecurity threat that serves as a warning to all enterprises about open-source software (OSS) supply chain security.   

The Microsoft Threat Intelligence Center (MSTIC) kicked off its own investigation into an April 2022 report by security vendor Recorded Future about a "likely Chinese state-sponsored" threat actor targeting the Indian power sector for the past two years. 

Recorded Future listed over a dozen network indicators of compromise (IOCs) it had observed between late 2021 and Q1 2022 that were used in 38 intrusions against multiple organisations in India's energy sector.  

Microsoft notes the latest related activity was in October 2022, and says its researchers identified a "vulnerable component on all the IP addresses published as IOCs" by Record Future and that it found evidence of a "supply chain risk that may affect millions of organizations and devices."

"We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files," Microsoft said.

Also: Cybersecurity jobs: Five ways to help you build your career

The Boa web server, an open-source software project, was abandoned in 2005, but 17 years later still ships in a variety of IoT devices and popular software development kits (SDKs), according to MSTIC.

"Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report's release and that the electrical grid attack targeted exposed IoT devices running Boa," Microsoft says. 

The Boa web server is often used to access settings and management consoles and sign-in screens in devices. 

But since Boa is not maintained anymore, devices or software development kits (SDKs) that still use it will harbour any known vulnerabilities since the date it was abandoned. 

Also: What, exactly, is cybersecurity? And why does it matter?

Microsoft suspects Boa remains popular in IoT devices because of its presence in popular SDKs that contain functions that operate on system on chip (SOC) in microchips, used in low-powered devices like routers. 

A case in point is RealTek SDKs, which are used in SOCs and provided to firms that manufacture network gateways such as routers, access points and repeaters. A critical flaw CVE-2021-35395 concerned RealTek's Jungle SDK, which included a management interface based on Boa. While RealTek did release patches for the SDK, some manufacturers might not have included them in firmware updates. Hence, there's a supply chain risk that Microsoft is concerned about. 

Attackers could exploit vulnerabilities in the web server to access networks by collecting information from files, according to Microsoft. Also, organisations may be using networked devices and be unaware that they're running services using Boa. 

"While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558)," Microsoft notes. 

"These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the "passwd" file from the device or accessing sensitive URIs in the web server to extract a user's credentials. Moreover, these vulnerabilities require no authentication to exploit, making them attractive targets."

Editorial standards