Critical Flaw in BMC’s MegaRAC AMI Software Exposed Server to Remote Attacks
Two other security flaws have been disclosed in the AMI MegaRAC Baseboard Management Controller (BMC) software which, if successfully exploited, could allow threat actors to remotely take over vulnerable servers and deploy malware.
“These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions,” Eclypsium researchers Vlad Babkin and Scott Scheferman said in a statement. report shared with The Hacker News.
“They can be exploited by remote attackers who have access to Redfish’s remote management interface, or from compromised host operating systems.”
Worse, flaws can also be weaponized to drop persistent firmware implants that are immune to operating system reinstallations and hard drive replacements, brick motherboard components, cause physical damage via overvolting attacks, and cause infinite reboot loops.
“As attackers shift their focus from user-facing operating systems to low-level embedded code that hardware and computing rely on, compromises become more difficult to detect and exponentially more complex to repair,” the researchers said.
The vulnerability is the latest addition to a series of bugs affecting the cumulatively named BMC AMI MegaRAC BMC&Csome of which were disclosed by the firmware security firm in December 2022 (CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827) and February 2023 (CVE-2022-26872 and CVE-2022-40258).
The list of new weaknesses is as follows –
- CVE-2023-34329 (CVSS Score: 9.9) – Bypass authentication through HTTP header spoofing
- CVE-2023-34330 (CVSS score: 6.7) – Code injection via the dynamic Redfish extension interface
When chained together, the two bugs carried a combined severity score of 10.0, which allowed adversaries to circumvent Redfish authentication and remotely execute arbitrary code on the highest-privileged BMC chip. Also, the flaws mentioned above can be combined with CVE-2022-40258 to crack the admin account password on the BMC chip.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
It should be noted that an attack like this can result in the installation of malware that can be used to conduct long-term cyber espionage while flying under the radar of security software, not to mention performing sideways moves and even destroying the CPU with power management tampering techniques such as PMFault.
This vulnerability poses a major risk to the supply chain of the technology underlying cloud computing, the researchers said. “In short, a vulnerability in a component supplier affects many hardware vendors, which in turn can be passed on to many cloud services.”
“Thus these vulnerabilities could pose risks to the servers and hardware directly owned by organizations as well as the hardware that supports the cloud services they use.”
