Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks

Jul 20, 2023THNHardware Security / SysAdmin

Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware.

“These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions,” Eclypsium researchers Vlad Babkin and Scott Scheferman said in a report shared with The Hacker News.

“They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system.”

To make matters worse, the shortcomings could also be weaponized to drop persistent firmware implants that are immune to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce indefinite reboot loops.

“As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware and computing trust relies on, compromise becomes harder to detect and exponentially more complex to remediate,” the researchers pointed out.

The vulnerabilities are the latest additions to a set of bugs affecting AMI MegaRAC BMCs that have been cumulatively named BMC&C, some of which were disclosed by the firmware security company in December 2022 (CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827) and February 2023 (CVE-2022-26872 and CVE-2022-40258).

The list of new flaws is as follows –

• CVE-2023-34329 (CVSS score: 9.9) – Authentication bypass via HTTP header spoofing
• CVE-2023-34330 (CVSS score: 6.7) – Code injection via dynamic Redfish extension interface

When chained together, the two bugs carry a combined severity score of 10.0, allowing an adversary to sidestep Redfish authentication and remotely execute arbitrary code on the BMC chip with the highest privileges. In addition, the aforementioned flaws could be combined with CVE-2022-40258 to crack passwords for the admin accounts on the BMC chip.

It’s worth pointing out that an attack of this nature could result in the installation of malware that could be used for conducting long-term cyber espionage while flying under the radar of security software, not to mention performing lateral movement and even destroy the CPU by power management tampering techniques like PMFault.

“These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing,” the researchers said. “In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services.”

“As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.”