TALK TO AN EXPERT
ad-images-nav_0001_SANs thumb

SANS Protects: The Network

DOWNLOAD WHITE PAPER

ad-images-nav_0009_Threat-hunting-guide

Threat hunting guide

GET THE GUIDE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

ad-images-nav_0000_Thinking-like-a-threat-actor

Thinking like a Threat Actor: Hunting the Ghost in the Machine

WATCH THE WEBCAST

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

ad-nav-video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

IoT/OT/ICS threats: Detecting vulnerable Boa web servers

Editor's note: This blog post was updated on 12/1/22 to add the "Update 12/1/22" and corresponding paragraph added to the end of the blog post.

On Nov. 22, 2022 Microsoft announced research findings about an ongoing supply chain attack against IoT devices running Boa web servers. The Boa web server, an open-source small-footprint web server suitable for embedded applications, was discontinued in 2005, but many software development kits still use this lightweight server on IoT hardware. Since being discontinued, vulnerabilities were discovered in Boa that make every version out there exploitable. Users may not even be aware they are running a  vulnerable Boa web server on IoT devices they own.

Corelight Labs downloaded and installed the last version of Boa in a lab environment and observed the following string returned in the HTTP server header:

Boa/0.94.14rc21

The string above can be detected in the HTTP server header when someone visits a Boa server on your network using this simple Zeek code block:

image-20

The resulting notices are:

image-21

Corelight Labs released a Zeek package with the code above so you can quickly begin to identify which machines are running a vulnerable Boa web server if someone connects to it on your network today. This package will help check off the “utilize device discovery and classification” remediation recommendation in Microsoft’s research findings.

Note that if you installed the following open source package, all HTTP headers will be logged to http.log:

https://github.com/sethhall/zeek-log-all-http-headers

Once this package is enabled, the following LogScale (formerly known as Humio) query will pull the devices reporting as Boa web servers on your network too:

#path=http | concatArray(server_header_values,as=headers)| headers=/Boa\/0/

Update 12/1/22

Since publishing this blog we discovered two additional methods for detecting vulnerable Boa web servers.  If you have included your networks in Sites::local_nets, Zeek’s software.log will contain web server versions of devices in those networks.  You can search unparsed_version for Boa vulnerable web servers with the following LogScale query:

#path=software unparsed_version=/Boa\//

If you are running Corelight sensors and enabled the Entity package, you can also search the known_services.log software column with the following LogScale query:

#path=known_services software=/Boa\//

By Corelight Labs Team



Search

    Recent Posts