Two additional security vulnerabilities have been identified in AMI MegaRAC Baseboard Management Controller (BMC) software, just two months following the discovery of three similar flaws in the same system. Firmware security firm Eclypsium disclosed these new vulnerabilities, which were withheld previously to allow AMI time to implement necessary mitigations.
The vulnerabilities, grouped under the identifier BMC&C, pose significant risks as they enable potential cyber attacks, allowing malicious actors to achieve remote code execution and gain unauthorized access with superuser privileges. This situation warrants serious attention from IT security professionals, particularly those managing server infrastructures.
The newly identified flaws include CVE-2022-26872, which carries a CVSS score of 8.3, highlighting the severity associated with this vulnerability that allows for password reset interception via API. The other issue, CVE-2022-40258, with a CVSS score of 5.3, involves weak password hashing methods used in Redfish APIs. Specifically, the MegaRAC software resorts to the outdated MD5 hashing algorithm for older devices, while newer appliances employ SHA-512 with per-user salts, both of which could be susceptible to password cracking attempts from skilled adversaries.
CVE-2022-26872 exploits an HTTP API to manipulate a user into executing a password reset operation as a result of social engineering tactics, enabling the attacker to set a new password of their choosing. This method of exploitation suggests that threat actors utilized initial access techniques, typical of social engineering attacks outlined in the MITRE ATT&CK framework.
These two vulnerabilities compound the risk of three other previously disclosed issues from December, namely CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827, which exhibit CVSS scores of 9.9, 8.3, and 7.5 respectively. The challenge lies in the fact that the exploitability of BMC&C vulnerabilities is contingent upon the BMCs being accessible over the internet or if assailants have already penetrated a data center or administrative network by other means, underscoring the need for robust cybersecurity measures.
The precise impact scope of these vulnerabilities remains undetermined, yet Eclypsium is actively collaborating with AMI and industry stakeholders to assess affected products and services. Major manufacturers such as Gigabyte, Hewlett Packard Enterprise, Intel, and Lenovo have promptly issued patches for their devices to mitigate these vulnerabilities, while NVIDIA is expected to release a fix by May 2023.
Exploitation of these vulnerabilities could result in serious consequences, including remote control of compromised servers, deployment of malware, and potential physical damage to servers. The implications for server management and security operations are considerable, emphasizing the need for immediate action from business owners to mitigate these risks.