"Flaw in Aged Boa Web Server Threatens Supply Chain"

Microsoft retired the Boa web server in 2005, but it is still widely used. The company recently revealed that malicious actors in attacks against the energy industry have exploited a vulnerability in the server's open-source component. This development further highlights the supply chain's ongoing vulnerability to attacks. While investigating electrical grid intrusion activity involving common Internet of Things (IoT) devices as the vector used to gain a foothold in Operational Technology (OT) networks and deploy malicious payloads, Microsoft discovered a vulnerable component on all IP addresses published as indicators of compromise (IOCs). The company also found evidence of a supply chain risk that could affect millions of organizations and devices. The ability to collect information undetected before an attack in critical infrastructure networks allows attackers to have a greater impact once the attack is launched, potentially disrupting operations that can cost millions of dollars and affect millions of people. The compromised component was tracked down to the Boa web server. According to Microsoft researchers, the component in question is commonly used to access device settings, management consoles, and sign-in screens. Different vendors continue to implement Boa across various IoT devices and popular Software Development Kits (SDKs). The inclusion of Boa in popular SDKs could be attributed to its continued development in IoT devices. Vulnerable components such as Boa and SDKs are often distributed to customers within devices, adding to supply chain vulnerabilities. Without developers managing the Boa web server, known vulnerabilities could allow attackers to silently gain network access by gathering data from files. Furthermore, those impacted may be unaware that their devices use the decommissioned Boa web server and that firmware updates and patches do not address its known vulnerabilities. This article continues to discuss the flaw in the discontinued Boa web server posing a supply chain risk to IoT and OT environments. 

Security Boulevard reports "Flaw in Aged Boa Web Server Threatens Supply Chain"