Boa, an open-source web server suitable for embedded applications that was discontinued since 2005 is now becoming a security threat because of the complex nature of how it was built into the internet of things (IoT) device supply chain. A recent report by tech major Microsoft said that hackers are exploiting vulnerabilities in the software to target organizations in the energy sector.
Microsoft researchers revealed in an analysis that a vulnerable open-source component in the Boa web server, is used widely in a range of routers and security cameras as well as popular software development kits (SDKs), a set of tools that allow developers to write or use an existing framework to develop applications for a given platform.
Despite the software being discontinued a nearly two decades ago, Microsoft reports that attackers are continuing their attempts to exploit the flaws of the Boa web servers which include a high-severity information disclosure bug (CVE-2021–33558) and another arbitrary file access flaw (CVE-2017–9833). An unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.
Comments are closed.