Vulnerabilities in “lights out” server management firmware

A
number
of
high-profile
server
vendors
inherit
vulnerabilities
in
baseboard
management
controllers
from
American
Megatrends
(AMI).

The
vulnerabilities
affect
machines
with
AMI
BMCs
that
embed
the
company’s
MegaRAC
software.

<div>Vulnerabilities in " title="
Vulnerabilities in "lights out" server management firmware
" decoding="async" />

A
number
of
high-profile
server
vendors
inherit
vulnerabilities
in
baseboard
management
controllers
from
American
Megatrends
(AMI).

The
vulnerabilities
affect
machines
with
AMI
BMCs
that
embed
the
company’s
MegaRAC
software.

The
bugs
were
discovered
by
Eclypsium
and
are

detailed
here
.

“MegaRAC
BMC
is
widely
used
by
many
leading
server
manufacturers
to
provide
‘lights-out’
management
capabilities
for
their
server
products,” Eclypsium
notes.

The
chips
are
used
by
AMD,
Ampere
Computing,
ASRock,
Asus,
ARM,
Dell
EMC,
Gigabyte,
Hewlett-Packard
Enterprise,
Huawei,
Inspur,
Lenovo,
Nvidia,
Qualcomm,
Quanta
and
Tyan.

The
company
said
it
began
investigating
AMI’s
BMCs
in
August
after
some
of
the
company’s
software
was
leaked.

Eclypsium
said
the
vulnerabilities
it
found
can
be
exploited
by
an
attacker
that
gets
access
to
the
management
interfaces,
which
expose
remote
management
APIs
to
the
network.

The
most
serious
of
the
three
bugs
Eclypsium
detailed
is
CVE-2022-40259,
rated
critical
with
a
CVSS
score
of
9.9.

This
bug
provides
arbitrary
code
execution
via
the
Redfish
remote
management
API
(Redfish
is
the
successor
to
IPMI,
the
Intelligent
Platform
Management
Interface).

An
API
call
provides
arbitrary
code
execution,
but
requires
the
attacker
to
have
“a
minimum
access
level
on
the
device
(callback
or
up).

Two
other
vulnerabilities
are
rated
as
high.

CVE-2022-40242
(CVSS
score
8.3)
is
a
default
credential
for
root,
accessible
via
SSH;
meanwhile
CVE-2022-2827
(CVSS
score
7.5)
provides
user
enumeration
via
a
password
reset
request.

One
of
the
password
reset
parameters
“can
be
manipulated
in
such
a
way
that
it
is
possible
to
determine
whether
the
user
exists
or
not,
with
no
prior
knowledge
other
than
the
username
itself,”
the
advisory
explained. 

“The
vulnerability
also
allows
an
attacker
to
test
for
the
presence
of
user
accounts
by
iterating
through
a
list
of
possible
account
names.”

CVE-2022-40259
and
CVE-2022-40242
provide
access
to
the
administrative
shell,
the
post
said,
with
no
further
escalation
necessary.

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.