Experts discovered three vulnerabilities at once in the AMI MegaRAC BMC (Baseboard Management Controller) software from American Megatrends. The issues affect server hardware used by many data centers and cloud service providers.
The vulnerabilities were found by Eclypsium specialists in August 2022, when the proprietary American Megatrends code, in particular the MegaRAC BMC firmware, leaked to the network. Having studied the firmware, the experts found bugs that, under certain conditions, can be used to execute arbitrary code, bypass authentication, and compile user lists.We also reported that Researchers say that more than 47,000 servers are at risk due to USBAnywhere vulnerabilities in Supermicro boards, and that Vulnerabilities in more than 40 drivers affect all PCs running Windows 10.
Let me remind you that BMCs are equipped with their own CPU, storage system and LAN interface through which a remote administrator can connect and instruct the server or PC to perform certain operations (changing OS settings, reinstalling the OS, updating drivers, and so on). In fact, such solutions allow administrators to troubleshoot many problems remotely, as if they were physically present next to the device.
MegaRAC BMCs are used by at least 15 major server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.
Researchers have identified the following issues, which have already been reported to American Megatrends and affected vendors:
- CVE-2022-40259: Critical vulnerability allowing arbitrary code execution through the Redfish API due to incorrect command disclosure to the user (9.9 points out of 10 possible on the CVSS 3.1 scale);
- CVE-2022-40242: Default credentials for the sysadmin user allowing an attacker to install an administrative shell (CVSS 3.1 score of 8.3);
- CVE-2022-2827: Query Manipulation Error to enumerate usernames and determine if a particular account exists on the system (CVSS 3.1 score 7.5).
Experts emphasize that the most serious of the three vulnerabilities, CVE-2022-40259, requires prior access to at least a low-privileged account in order to execute an API callback. However, for the operation of CVE-2022-40242, the only condition is the availability of remote access to the device. Thus, the first two problems are extremely serious, as they provide attackers with access to an administrative shell without the need for further privilege escalation.
The third drawback does not have a significant impact on security, but gives an idea of the existence of certain accounts, which means that it can open a direct path to brute force or credential stuffing attacks (substituting credentials already known to hackers).
The experts write that the consequences of exploiting the three vulnerabilities found may include remote control of compromised servers, remote deployment of malware, ransomware and malicious firmware, as well as physical damage to servers, up to their transformation into “bricks”.
We also recall that several years ago the media wrote that Gigabyte and Lenovo server solutions were under threat because of the bugs in the BMC firmware.
