Vulnerabilities in AMI MegaRAC Controllers Threaten AMD, ARM, HPE and Dell Servers

Vulnerabilities in AMI MegaRAC
Written by Emma Davis

Experts discovered three vulnerabilities at once in the AMI MegaRAC BMC (Baseboard Management Controller) software from American Megatrends. The issues affect server hardware used by many data centers and cloud service providers.

The vulnerabilities were found by Eclypsium specialists in August 2022, when the proprietary American Megatrends code, in particular the MegaRAC BMC firmware, leaked to the network. Having studied the firmware, the experts found bugs that, under certain conditions, can be used to execute arbitrary code, bypass authentication, and compile user lists.

We also reported that Researchers say that more than 47,000 servers are at risk due to USBAnywhere vulnerabilities in Supermicro boards, and that Vulnerabilities in more than 40 drivers affect all PCs running Windows 10.

Let me remind you that BMCs are equipped with their own CPU, storage system and LAN interface through which a remote administrator can connect and instruct the server or PC to perform certain operations (changing OS settings, reinstalling the OS, updating drivers, and so on). In fact, such solutions allow administrators to troubleshoot many problems remotely, as if they were physically present next to the device.

MegaRAC BMCs are used by at least 15 major server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

Researchers have identified the following issues, which have already been reported to American Megatrends and affected vendors:

  1. CVE-2022-40259: Critical vulnerability allowing arbitrary code execution through the Redfish API due to incorrect command disclosure to the user (9.9 points out of 10 possible on the CVSS 3.1 scale);
  2. CVE-2022-40242: Default credentials for the sysadmin user allowing an attacker to install an administrative shell (CVSS 3.1 score of 8.3);
  3. CVE-2022-2827: Query Manipulation Error to enumerate usernames and determine if a particular account exists on the system (CVSS 3.1 score 7.5).

Experts emphasize that the most serious of the three vulnerabilities, CVE-2022-40259, requires prior access to at least a low-privileged account in order to execute an API callback. However, for the operation of CVE-2022-40242, the only condition is the availability of remote access to the device. Thus, the first two problems are extremely serious, as they provide attackers with access to an administrative shell without the need for further privilege escalation.

The third drawback does not have a significant impact on security, but gives an idea of the existence of certain accounts, which means that it can open a direct path to brute force or credential stuffing attacks (substituting credentials already known to hackers).

These vulnerabilities could create serious risks if an attacker has access to the BMC of an affected server. In accordance with security best practices, BMCs should not be exposed to direct access from the internet, and our scans after the initial disclosure of vulnerabilities show relatively low public exposure (compared to recent high-profile vulnerabilities found in other infrastructure products). However, it is quite common to find BMCs that are at risk, either due to misconfiguration or poor cybersecurity hygiene. In addition, these vulnerabilities could be exploited by an attacker with initial access to a data center or administrative network.the company said in a report.

The experts write that the consequences of exploiting the three vulnerabilities found may include remote control of compromised servers, remote deployment of malware, ransomware and malicious firmware, as well as physical damage to servers, up to their transformation into β€œbricks”.

Because data centers tend to standardize on certain hardware platforms, any BMC vulnerability is likely to affect a large number of devices and potentially affect the entire data center and the services it provides. The standardization of server components by hosting and cloud providers means that these vulnerabilities can affect hundreds of thousands or even millions of systems.Eclypsium warns.

We also recall that several years ago the media wrote that Gigabyte and Lenovo server solutions were under threat because of the bugs in the BMC firmware.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply