- The Boa is an open source small-footprint web server that can run on a variety of systems.
- It is highly vulnerable because its code has not been updated since 2005. It also has no access control features and has limited support for SSL.Â
Think back to the year 2005. While cybersecurity was a concern back then, it did not receive even close to the attention it does today. Many devices and software weren’t built with security from the ground up in those days. I reference 2005 because that is the year that a server that is still highly utilized today was discontinued, and hackers are continuing to take advantage of it.Â
What Is a Boa Web Server?
The Boa is an open source small-footprint web server that can run on a variety of systems. That includes everything from an embedded system to a large server cluster. Boa servers are used on routers, security cameras, and IoT devices. Due to their small size, they are integrated into SDKs that are used in many applications. Key components of the server include its BSD operating system, Apache web server and OpenSSL cryptographic library. While they were discontinued almost twenty years ago, they remain extremely popular. Microsoft claims to have identified over 1 million internet-exposed Boa server components in just a week’s time.
What Makes the Boa so Vulnerable?
Its most obvious vulnerability is the fact that it hasn’t had its code updated since 2005. That’s enough right there. It also has no access control features and has limited support for SSL. Another key vulnerability is its absence of Chroot. Chroot stands for â€œchange rootâ€ which is a big deal on Unix-based file systems. When a user runs a program or process in a chroot environment, that user’s activity is restricted to the chroot directory and cannot access files or directories outside of it. This helps to isolate the web server from the rest of the containing system so that threat actors can’t gain access to other parts of the system.
There are several CVEs that relate to the Boa server. One example is NVD â€“ CVE-2017-9833 (nist.gov) which gives attackers the ability to read files with root privileges. Another one is NVD â€“ CVE-2021-33558 (nist.gov), which allows remote attackers to obtain sensitive information using a .html file. Last year, Microsoft issued an alert concerning intrusion activity it detected aimed at Indian power grid entities. The activity involved the exploitation of embedded Boa servers.
Stated Vulnerabilities of the BOA
A primary vulnerability is directory traversal. Attackers use directory traversal attacks to gain access to files and directories outside of the web server’s root directory. This allows them to potentially steal sensitive information, execute arbitrary code or upload malicious files. Boas are also vulnerable to buffer overflow attacks that involve an attacker sending more data to the server than it is capable of handling. This can cause the server to crash and disrupt operations of the integrated system. This type of attack can also be used to execute malicious code on the system as well.
Like any server, Boa may be vulnerable to cross-site scripting (XSS) attacks in which an attacker injects malicious code into a web page that is then used to steal data, modify the page or redirect users to a malicious site. When used in a database environment, Boas may be vulnerable to SQL injection attacks in which an attacker injects SQL commands to the server through the user input. SQL injection attacks are used to gain information about the database to access the data and either exfiltrate it or, in some cases, modify or destroy it. Finally, there are good old-fashioned denial-of-service attacks that can overwhelm Boa and cause it to lose responsiveness or even crash.
Best Security Practices for Boa
Updating and patching may sound like a worn-out mantra, but it goes a long way to reducing attack surfaces. Devices that house Boa should have their firmware updated regularly. Unfortunately, this doesn’t always patch the SDKs or internal SOC components, so it isn’t foolproof. In the end, you can only do what you can do as far as patching. Embedded applications should be updated as well.
Because an attacker gains access to areas outside of the chroot directory by creating a session using the credentials of an authorized user, a secure password policy is essential. Due to the password-cracking abilities of modern GPUs, eight-character passwords are no longer sufficient. Passwords for server access should be 12 characters long, if possible, and consist of a combination of uppercase and lowercase letters, numbers, and symbols. Don’t use words found in the dictionary that are the name of a person, place, or organization, such as a sports team.
Any web-facing asset that hosts a Boa must be protected by a firewall of some typeâ€”if possible, a perimeter firewall that is then supplemented by a locally installed firewall. Granular security policies should be in place to only allow permitted traffic from approved locations. Use network segmentation strategies to restrict access to internal devices that host Boas. Network segmentation involves the use of internally placed firewalls that isolate areas of a network using enforced security strategies.
Regularly monitor your environment to detect and respond to suspicious activity involving the Boa, such as unusual login attempts or excessive resource usage. Intrusion detection and prevention systems should also be in place to prevent attacks.
Vendors that still use Boas in their products and software should have their developers shore up the involved code of the Boa. This would be the only sure way to properly secure it.
The security incidents involving Boa web servers are prime examples of the serious threat legacy systems pose to our world today. It is why product refresh cycles are so important. While there is no way to determine if a device is using Boa, an open port 80 or 8080 could mean the presence of one.Â
Did this article help you understand what makes boa servers vulnerable? Comment below or let us know on FacebookOpens a new window , TwitterOpens a new window , or LinkedInOpens a new window . We’d love to hear from you!
MORE ON VULNERABILITIES
- Intrusion Detection System vs. Intrusion Prevention System: Key Differences and Similarities
- What Is DDoS (Distributed Denial of Service)? Definition, Types, and Prevention Best Practices for 2022
- What Is Packet Sniffing? Meaning, Methods, Examples, and Prevention Best Practices for 2022
- What Is Botnet? Definition, Methods, Attack Examples, and Prevention Best Practices for 2022