Recent disclosures have unveiled two significant security vulnerabilities within AMI MegaRAC Baseboard Management Controller (BMC) software, potentially enabling threat actors to remotely seize control of vulnerable servers and introduce malware. The identified vulnerabilities range in severity from High to Critical and include risks such as unauthenticated remote code execution and unauthorized access with superuser permissions. This information was detailed in a report by researchers Vlad Babkin and Scott Scheferman from Eclypsium, which was shared with The Hacker News.
The vulnerabilities can be exploited by remote attackers who have access to Redfish remote management interfaces or from an already compromised host operating system. More concerningly, these flaws could be utilized to instigate persistent firmware implants that evade operating system reinstallation and hard drive replacements, potentially leading to severe hardware damage through overvoltage attacks or perpetual reboot loops.
As the landscape of cyber threats evolves, attackers increasingly target embedded code within hardware, making it more challenging to detect compromises and exponentially complicating remediation efforts. The vulnerabilities disclosed by Eclypsium stem from an analysis of AMI firmware exposed during a ransomware attack orchestrated by the RansomExx group, which targeted hardware manufacturer GIGABYTE in August 2021.
The latest issues add to an existing list of vulnerabilities affecting AMI MegaRAC BMCs, collectively referred to as BMC&C. This includes vulnerabilities previously reported in December 2022 and January 2023, underscoring a troubling trend in supply chain vulnerabilities within BMC software.
The newly discovered vulnerabilities are identified as CVE-2023-34329 and CVE-2023-34330, with severity scores of 9.1 and 8.2, respectively. When these vulnerabilities are combined, they yield a maximum severity score of 10.0, enabling an attacker to bypass Redfish authentication and execute arbitrary code on the BMC with elevated privileges. Moreover, they could also be linked to CVE-2022-40258, which facilitates password cracking for admin accounts on the BMC chip.
Exploiting these vulnerabilities can lead to the installation of persistent malware, enabling long-term cyber espionage activities while remaining undetected by security solutions. There is potential for lateral movement through compromised systems and even damaging the CPU via power management manipulation techniques.
While there is no concrete evidence of these vulnerabilities being exploited in the wild, the widespread deployment of MegaRAC BMC as a core component in millions of devices across major vendors makes it an attractive target for malicious actors aiming to gain comprehensive control over targeted systems. Researchers have highlighted that such vulnerabilities pose significant risks to the technology supply chain underlying cloud computing, as they can affect numerous hardware vendors whose products support various cloud services.
The ramifications of these findings extend beyond immediate risks to servers directly managed by organizations. They potentially endanger the hardware underpinning cloud services that companies depend on for operations. In the context of the MITRE ATT&CK framework, the attack vectors could include tactics such as initial access, privilege escalation, and persistence, emphasizing the need for vigilance in managing and securing embedded firmware components.
NOTE: In this article, BMC refers specifically to Baseboard Management Controller and should not be confused with BMC Software, an American multinational organization.
