Critical security vulnerabilities have been found in the MegaRAC Baseboard Management Controller (BMC) software, a product of American Megatrends International. This software gives administrators the ability to remotely manage systems, even if they are not physically present at the device location. The BMC firmware is utilized by over a dozen server manufacturers that supply equipment to numerous cloud service and data center providers. Some of the impacted vendors include AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, ASRock, and others.
The vulnerabilities, designated as CVE-2023-34329 and CVE-2023-34330, were discovered by security researchers at Eclypsium after they examined AMI source code. This code was stolen by the RansomEXX ransomware gang during a network breach of GIGABYTE, a business partner of AMI. The stolen files were subsequently published on the dark web in August 2021.
These security flaws allow attackers to circumvent authentication or inject harmful code through Redfish remote management interfaces that are open to remote access. A remote attacker with network access to the BMC management interface, even without BMC credentials, can execute remote code on servers running the vulnerable firmware. This can be achieved by deceiving the BMC into believing the HTTP request came from the internal interface. As a result, the attacker can remotely upload and execute any code, potentially even from the internet, if the interface is publicly accessible.
Eclypsium stated, 'The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (over-voltage / firmware bricking), and indefinite reboot loops that a victim organization cannot interrupt.' They added that such an implant could be extremely hard to detect and very easy for any attacker to recreate as a one-line exploit.
In December 2022 and January 2023, Eclypsium revealed five additional MegaRAC BMC vulnerabilities (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258) that could be exploited to take over, disable, or remotely infect compromised servers with malware. Moreover, the two MegaRAC BMC firmware vulnerabilities disclosed can be linked with the ones mentioned above. Specifically, CVE-2022-40258, which involves weak password hashes for Redfish & API, could assist attackers in cracking the administrator passwords for the admin accounts on the BMC chip, simplifying the attack.
Eclypsium said, 'We have seen no evidence that these or our previously disclosed BMC&C vulnerabilities are being exploited in the wild. However, because threat actors have access to the same source data the risk of these vulnerabilities being weaponized is significantly raised.'