Image: Bing Image Creator
Two new critical severity vulnerabilities have been discovered in the MegaRAC Baseboard Management Controller (BMC) software made by hardware and software company American Megatrends International.
MegaRAC BMC provides admins with “out-of-band” and “lights-out” remote system management capabilities, enabling them to troubleshoot servers as if they were physically in front of the devices.
The firmware is used by more than a dozen server manufacturers that provide equipment to many cloud service and data center providers. Affected vendors include the likes of AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, ASRock, and more.
Eclypsium security researchers found the flaws (tracked as CVE-2023-34329 and CVE-2023-34330) after analyzing AMI source code stolen by the RansomEXX ransomware gang after breaching the network of computer hardware giant GIGABYTE, one of AMI’s business partners.
As BleepingComputer reported, the RansomEXX threat attackers published the stolen files in August 2021 on their dark web data leak site.
The two security flaws enable attackers to bypass authentication or inject malicious code via Redfish remote management interfaces exposed to remote access:
CVE-2023-34329 – Authentication Bypass via HTTP Header Spoofing (9.9/10 CVSS 3.0 base score)
CVE-2023-34330 – Code injection via Dynamic Redfish Extension interface (6.7/10 CVSS 3.0 base score)
By combining these vulnerabilities, a remote attacker with network access to the BMC management interface and lacking BMC credentials can gain remote code execution on servers running vulnerable firmware.
This is accomplished by tricking the BMC into perceiving the HTTP request as originating from the internal interface. Consequently, the attacker can upload and execute arbitrary code remotely, potentially even from the Internet, if the interface is exposed online.
Impact includes server bricking and infinite reboot loops
“The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (over-voltage / firmware bricking), and indefinite reboot loops that a victim organization cannot interrupt,” Eclypsium said.
“We also need to emphasize that such an implant can be extremely hard to detect, and is extremely easy to recreate for any attacker in the form of a one-line exploit.”
In December 2022 and January 2023, Eclypsium disclosed five more MegaRAC BMC vulnerabilities (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258) that could be exploited to hijack, brick, or remotely infect compromised servers with malware.
Furthermore, the two MegaRAC BMC firmware vulnerabilities disclosed today can be chained with the ones mentioned above.
Specifically, CVE-2022-40258, which involves weak password hashes for Redfish & API, could help attackers crack the administrator passwords for the admin accounts on the BMC chip, making the attack even more straightforward.
“We have seen no evidence that these or our previously disclosed BMC&C vulnerabilities are being exploited in the wild,” Eclypsium said.
“However, because threat actors have access to the same source data the risk of these vulnerabilities being weaponized is significantly raised.”