Eclypsium discovers two more remotely exploitable flaws in AMI MegaRAC BMC software

Eclypsium Research disclosed Thursday the presence of two additional security loopholes in American Megatrends Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software, collectively referred to as ‘BMC&C.’ These new vulnerabilities range in severity from high to critical, including unauthenticated remote code execution (RCE) and unauthorized device access with superuser permissions. They can be exploited by any local or remote attacker having access to the Redfish management interface.

“It is worth noting that this new and prior research was the result of ongoing analysis of information leaked as part of a prior ransomware incident in the supply chain. This is significant because it means that threat actors have access to the same source code we used in our research, making it a straightforward exercise to find these and other vulnerabilities,” Nate Warfield, Scott Scheferman, and Vlad Babkin, Eclypsium researchers wrote in a post. “Of note, too, BMC firmware images can also be decompiled to sufficiently reveal the same vulnerabilities discovered in this research, even without direct access to source code.”

They added that the impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware, and firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (over-voltage/firmware bricking), and indefinite reboot loops that a victim organization cannot interrupt. 

Eclypsium identified last December three supply chain vulnerabilities in AMI MegaRAC BMC software, which can be exploited by remote attackers having access to remote management interfaces, such as Redfish and IPMI, putting the entire server ecosystem at risk. Widely used across server manufacturers to provide ‘lights-out’ management capabilities for their server products, the MegaRAC BMC vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. MegaRAC BMC is a critical supply chain component found in millions of devices worldwide and used by multiple top-tier manufacturers to deliver lights-out management for servers.

The Eclypsium researchers identified that the latest vulnerabilities can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system. “These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services.” 

They added that as such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use. “They can also impact upstream suppliers to organizations and should be discussed with key 3rd parties as part of general supply chain risk management due diligence.” 

The vulnerabilities discovered are addressed by CVE-2023-34329 – Authentication Bypass via HTTP Header Spoofing and CVE-2023-34330 – Code injection via Dynamic Redfish Extension interface. The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware, and firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage (over-voltage/bricking), and indefinite reboot loops that a victim cannot stop.

“These risks are magnified by MegaRAC’s position as the world’s leading provider of BMC remote management firmware, sitting at the top of the BMC supply chain. This firmware is a foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world,” according to the Eclypsium researchers. “And since devices in these environments typically standardize on a hardware configuration, a vulnerable configuration could likely be shared across thousands of devices. Additionally, much of this research was enabled by the discovery of a substantial amount of AMI intellectual property that was leaked on the Internet.” 

They added that the availability of this information, including firmware source code, could increase the likelihood of attackers developing similar exploits and implants that the Eclypsium research team has been able to develop.

The researchers added that they “have seen no evidence that these or our previously disclosed BMC&C vulnerabilities are being exploited in the wild. However, because threat actors have access to the same source data the risk of these vulnerabilities being weaponized is significantly raised. This fact has driven the urgency of our analysis to ensure we can find and address problems before threat actors can exploit them.” 

Eclypsium Research has been following a Coordinated Vulnerability Disclosure process, including AMI and other affected parties. Additionally, AMI and Eclypsium have reached out to multiple parties who are working to determine the scope of impacted products and services. Additionally, Eclypsium has reached out to multiple parties who are working to determine the scope of impacted products and services, including top-tier OEM vendors, affected IT supply chain parties, and large cloud infrastructure providers.

The Eclypsium post also flagged a recent CISA Binding Operational Directive 23-02 that highlights the urgent need to secure these interfaces from active exploitation in the wild. Accompanying this, CISA has also published extensive hardening guidelines for BMCs, aligned with their cross-sector Cybersecurity Performance Goals (CPGs). Attacks against data centers have been causing tremendous impact of late, affecting many third parties: In many cases, attackers specifically target the lights-out management interfaces and credentials. A growing amount of research has been drawing light on the risks of remote management interfaces and server supply chains in general. 

The researchers concluded that such vulnerabilities can pose serious risks in any scenario in which an attacker has access to an affected server’s BMC. They can be exploited by an attacker that has gained initial access into a data center or administrative network, and in many cases even from the Internet directly, as many architectures are misconfigured to allow direct access. Finally, attackers can also leverage these vulnerabilities directly from a compromised operating system down to the BMC on the same device.

“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability may apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers, up to the point of catastrophic impact and indefinite downtime,” the Eclypsium researchers added. “Due to the nature and location of BMC vulnerabilities, detecting exploitation and post-exploit activity is complex, as standard EDR & AV products focus on the operating system, not the underlying firmware. Further, network security controls likely will not detect traffic going to or from BMCs as malicious.”

Earlier this month, industrial cybersecurity company Nozomi Networks revealed the presence of five new vulnerabilities affecting the AMI MegaRAC BMC software solution. They specifically affect the AMI MegaRAC SP-X codebase, upon which the firmware of multiple BMC devices is based. As the firmware is adopted by numerous vendors for creating their unique remote management solutions, these vulnerabilities affect all vendors’ products, including OT (operational technology), IoT, and IT devices whose BMC firmware is derived from the affected codebase. These vulnerabilities have also been found to affect the latest firmware releases.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.