Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Industrial cybersecurity company Nozomi Networks revealed five new vulnerabilities affecting the American Megatrends (AMI) MegaRAC BMC software solution. They specifically affect the AMI MegaRAC SP-X codebase, upon which the firmware of multiple baseboard management controllers (BMCs) devices are based. As this firmware is adopted by numerous vendors for creating their unique remote management solutions, these vulnerabilities affect all vendors’ products, including OT (operational technology), IoT, and IT devices whose BMC firmware is derived from the affected codebase. These vulnerabilities have also been found to affect the latest firmware releases.
The Nozomi Networks Labs said in its latest blog post that its research has identified vulnerabilities in the file hash verification for backup files and BMC host-based web interfaces. “Additionally, in case integrity checks are not enforced by the motherboard BIOS or firmware (e.g., the UEFI that measures firmware integrity during the Secure Boot process), we discovered and present an attack scenario that could allow an attacker to hide a backdoor on the web-based BMC management interface. This backdoor access could persist even across reinstallations of the host operating system or hard resets of the BMC configuration itself. We conclude by explaining the available and suggested remediations for asset owners,” it added on Wednesday.
Last November, Nozomi identified thirteen vulnerabilities affecting BMCs of Lanner devices based on the AMI MegaRAC SP-X, five of which are rated as critical. By abusing these vulnerabilities, an unauthenticated attacker may achieve remote code execution (RCE) with root privileges on the BMC, compromising it and gaining control of the managed host.
The AMI MegaRAC SP-X is a comprehensive BMC firmware solution designed for data center and enterprise-class servers, adopted by a host of recognized vendors. BMCs play a vital role in managing and monitoring of server hardware, but their continuous operation and remote accessibility can also introduce security risks. Based on a Linux kernel, it offers various features, including remote power management, keyboard-video-mouse interaction, and virtual media support. Administrators and operators can interact with the BMC through various interfaces, such as the web portal, standard Redfish APIs, and IPMI service.
Nozomi identified vendors whose BMC firmware is known to be based or have been based on the AMI MegaRAC SP-X, including Asus, Dell, Gigabyte, Hewlett Packard Enterprise, Lanner, Lenovo, NVIDIA, and Tyan. These vendors can decide to deploy the standard MegaRAC SP-X firmware image ‘as-is’ or customize and configure it according to their needs.
Identifying the high-risk vulnerabilities, Nozomi said that CVE-2023-34337: Inadequate Encryption Strength (CWE-326), CVSS v3 7.6; and CVE-2023-34338: Use of Hard-coded Cryptographic Key (CWE-321), CVSS v3 7.1.
When it came to medium-risk vulnerabilities, Nozomi said that CVE-2023-34473: Use of Hard-coded Credentials (CWE-798), CVSS v3 6.6; CVE-2023-34471: Missing Cryptographic Step (CWE-325), CVSS v3 6.3; and CVE-2023-34472: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) (CWE-113), CVSS v3 5.7.
It also added that CVE-2023-34337, CVE-2023-34473, and CVE-2023-34471 affected SPx_12 up to update-2.00 (excluded). CVE-2023-34338 affected SPx_12 up to update-3.00 (excluded). CVE-2023-34472 affected LTS_12 up to 4/16/2021, LTS_13 up to 7/14/2021, SPx_12 up to update-5.00 (excluded), SPx_13 up to update-3.00 (excluded).
The post detailed that “while testing the BMC web interface of a motherboard for OT/IoT purposes in our lab environment, we noticed that it offered the possibility to perform the backup and restore of the BMC configuration.”
It added that by inspecting the content of a backup file, “we immediately noticed that it contained sensitive data of the underlying Linux system, such as network configuration files or authentication information. Notably, there were also some Bash scripts inside the backup file, an evident opportunity for obtaining Remote Code Execution (RCE) on the BMC. However, simply changing the content of the backup file led to it being rejected. We thus decided to investigate how the BMC was validating the integrity of the file.”
Nozomi added that after unpacking the firmware of the device and loading the ‘spx_restservice’ binary in IDA Pro (the main binary responsible for handling web requests), “we soon noticed that the backup/restore functionality was handled through an additional shared object called ‘libBackupConf[dot]so and more specifically, by the ‘RestoreConfFile’ export function.”
The core of the validation procedure is done inside the ‘VerifyFileIntegrity’ function, the post said. “After reversing the function, we were able to understand that the integrity was verified by comparing an HMAC-SHA1 hash computed on the supplied file against the one included in the file trailer. If matched, the file was accepted. Otherwise, the file was discarded,” it added.
However, Nozomi researchers soon noticed pitfalls in the process. These include the secret used to compute the HMAC-SHA1 turned out to be one among ten values hardcoded in the library. Additionally, in one specific BMC firmware, further analyses of the function that generated backup files unveiled that the value used as a secret was always the first one in the list.
Additionally, the simplified version is less secure than the standard cryptographic primitive because it does not provide any resistance against collisions on the SHA1 of the message. Finally, of the entire 20 bytes of the resulting HMAC-SHA1 output, only 2 bytes were verified by the algorithm, resulting in only 65’536 possible HMAC-SHA1 combinations. This limitation makes the hashing function much more susceptible to a successful network brute-force attack.
In a short time, Nozomi said that “We were able to inject some lines to add a reverse shell in one of the Bash scripts and craft a valid HMAC-SHA1, which gave us root access to the BMC.”
As expected, the backup and restore functionality was restricted to authenticated users only, the post highlighted. “However, unauthenticated attackers may be able to indirectly exploit some of these issues by poisoning a backup and restore file in a repository server and then waiting or convincing an unaware victim/user into using that file to restore from backup, triggering the execution of the malicious code.”
Nozomi also discovered that some of this data was extracted from the values hardcoded in the host system BIOS/UEFI. “If in the past updating a BIOS was a task that could be performed only by booting into a special motherboard functionality, nowadays it is more and more prevalent to perform BIOS/UEFI updates straight from the host OS (e.g., through a manufacturer’s ad-hoc application, or the Windows Update service). Thus, we decided to explore editing the BIOS image and reflashing it to test for Stored XSS by abusing some of these fields.”
The post added that as a proof of concept, using one of the AMI BIOS editing tools available on the Internet, we injected an XSS payload in the vendor and product names hardcoded in the BIOS image. “We could also have used fields that are not normally displayed during the boot process.”
Afterward, “we logged in to the BMC web interface and reopened the FRU webpage. We were soon greeted with the alert, confirming the execution of our arbitrary JavaScript code.” Nozomi added.
The post assesses that despite its relative simplicity, this attack would cause extensive consequences. An attacker that has achieved admin privileges on a managed host would be able to move laterally and hide a backdoor on the web-based BMC management interface. “This access could persist despite multiple reinstallations of the host operating system, hard drive changes, or hard resets of the BMC configuration itself. The only way to remove it would be by reflashing the BIOS/UEFI with a clean image. It is also worth noting that the likelihood of a similar attack is low but not impossible: cases, where persistence was achieved through firmware, and reflash in state-sponsored, targeted attacks have already been registered.”
According to AMI’s threat model protection against scenarios like this is provided by the BIOS/UEFI integrity checks and is the responsibility of the BMC manufacturer and/or end user. Consequently, this finding failed to be considered a vulnerability and a CVE ID has not been assigned.
All BMC firmware in all devices is based on these versions up to the third quarter of 2021 of the AMI MegaRAC SP-X is impacted unless the vendor has applied specific customizations to change or remove the vulnerable portions of code, Nozomi said. “Notably, for some devices, we were able to confirm these vulnerabilities in the latest available firmware versions. A BMC firmware is thus patched to all aforementioned CVE IDs only if the respective vendor has chosen to base it on one of the fixed versions that have been released after that time (or if the vendor has applied specific customizations to change or remove the vulnerable portions of code),” it added.
Given that the web-based BMC management interface does not provide information about the MegaRAC SP-X codebase version from which it is derived, precise information about the vulnerability status of devices must be provided by the respective manufacturers. “We urge asset owners to verify with the manufacturers and apply patched versions of the BMC firmware when available,” the post added.
Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) jointly released an information sheet that assists network defenders in protecting baseboard management controllers (BMCs). The guidance highlights threats to BMCs, details actions organizations can use to harden them, and includes recommendations and mitigations for network defenders to secure their systems.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
