Eclypsium detects supply chain vulnerabilities in MegaRAC BMCs that put the server ecosystem at risk

Eclypsium Research disclosed three supply chain vulnerabilities in American Megatrends Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software, collectively referred to as ‘BMC&C.’ These loopholes can be exploited by remote attackers having access to remote management interfaces, such as Redfish and IPMI, putting the entire server ecosystem at risk.

Widely used across server manufacturers to provide ‘lights-out’ management capabilities for their server products, the MegaRAC BMC vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing, Eclypsium researchers wrote in a Monday post. “In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services. As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use,” they added. 

The Eclypsium alert is not the first time that MegaRAC’s BMCs have been exposed. Last month, industrial cybersecurity company Nozomi Networks identified thirteen vulnerabilities affecting BMCs of Lanner devices based on the AMI MegaRAC SP-X, five of which are rated as critical. By abusing these vulnerabilities, an unauthenticated attacker may achieve remote code execution (RCE) with root privileges on the BMC, compromising it and gaining control of the managed host.

BMCs are critical components that provide out-of-band management for modern servers. A BMC is a fully functional independent computer within a server, equipped with its independent power, firmware, memory, and networking stack. This allows remote administrators to control virtually everything on the device from low-level hardware settings to managing the host operating system, virtual hosts, applications, or data. The BMC can allow administrators to manage the host even when the host itself is powered off.

The report identified the MegaRAC vulnerabilities discovered as the CVE-2022-40259 covering Arbitrary Code Execution via Redfish API, CVE-2022-40242 that deals with default credentials for UID = 0 shell using SSH (Secure Shell), and CVE-2022-2827 including user enumeration using API. “The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking). At this time, it is unknown whether these vulnerabilities are under active exploitation,” the post added.

The first two CVEs lead straight into the UID = 0 administrative shell, with no further escalation necessary. CVE-2022-40259 requires prior access to at least a low-privilege account (Callback privileges or higher), while CVE-2022-40242 requires nothing more than remote access to the device, albeit, on some devices, this account may be disabled, the post added. “The third vulnerability (CVE-2022-2827) would require additional steps for full exploitation; e.g. it allows for pinpointing pre-existing users and does not lead into a shell but would provide an attacker a list of targets for brute force or credential stuffing attacks.”

The Eclypsium post said that these vulnerabilities can pose serious risks in any case in which an attacker has access to an affected server’s BMC. As a security best practice, BMCs should not be directly exposed to the Internet, and scans performed after the initial disclosure indicate that public exposure is relatively low compared to recent high-profile vulnerabilities in other infrastructure products. However, it is quite common to find BMCs that are exposed due to either misconfigurations or poor security hygiene. 

Additionally, these vulnerabilities could be exploited by an attacker that has gained initial access to a data center or administrative network. As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers. Due to the nature and location of BMC vulnerabilities, detecting exploitation is complex as standard EDR (endpoint detection and response) and AV (anti-virus) products focus on the operating system, not the underlying firmware.

The Eclypsium alert identified that the risks are magnified by MegaRAC’s position as a provider of BMC remote management firmware, sitting at the top of the BMC supply chain. The firmware is a foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world. And since devices in these environments typically standardize on a hardware configuration, a vulnerable configuration could likely be shared across thousands of devices. 

Additionally, some of this research was enabled by the discovery of a substantial amount of AMI intellectual property on the Internet. The availability of this information could naturally increase the likelihood of attacks in the wild. 

Eclypsium Research has been following a Coordinated Vulnerability Disclosure process, including AMI and other affected parties. Additionally, AMI and Eclypsium have reached out to multiple parties who are working to determine the scope of impacted products and services, the post added.

While assessing the scope of the BMC&C vulnerabilities, it is important to understand the role AMI MegaRAC plays in the supply chain of cloud data centers. Naturally, many enterprises are attracted to the cloud due to the ability to abstract computing resources from the cost and ongoing maintenance of physical hardware. However, clouds run on hardware that translates to vast numbers of servers from many different vendors.

MegaRAC BMC firmware is one of the common threads that connect much of the hardware that underlies the cloud. As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, to abstract computing from the hardware, the physical servers within a data center must be interchangeable. 

“To this end, cloud providers standardize on server components, hardware configurations, firmware & operating system versions, and hypervisor software,” the Eclypsium post said. “So if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk.”

Organizations must ensure that all remote server management interfaces and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally. They must also review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available. Additionally, enterprises must perform regular software and firmware updates in critical servers, and ensure that vulnerability assessments include remote server management subsystems and critical firmware.

Furthermore, enterprises must ensure that all critical firmware in servers is regularly monitored for indicators of compromise or unauthorized modifications. They must perform supply chain checks of new equipment and assess that all new servers have major vulnerabilities patched and the latest firmware updates installed.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.