Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers.
“The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),” firmware and hardware security company Eclypsium said in a report shared with The Hacker News.
BMCs are privileged independent systems within servers that are used to control low-level hardware settings and manage the host operating system, even in scenarios when the machine is powered off.
These capabilities make BMCs an enticing target for threat actors looking to plant persistent malware on devices that can survive operating system reinstalls and hard drive replacements.
Some of the major server manufacturers that are known to have used MegaRAC BMC include AMD, Ampere Computing, Arm, ASRock, Asus, Dell EMC, GIGABYTE, Hewlett Packard Enterprise, Huawei, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.
Collectively called BMC&C, the newly identified issues can be exploited by attackers having access to remote management interfaces (IPMI) such as Redfish, potentially enabling adversaries to gain control of the systems and put cloud infrastructures at risk.
The most severe among the issues is CVE-2022-40259 (CVSS score: 9.9), a case of arbitrary code execution via the Redfish API that requires the attacker to already have a minimum level of access on the device (Callback privileges or higher).
CVE-2022-40242 (CVSS score: 8.3) relates to a hash for a sysadmin user that can be cracked and abused to gain administrative shell access, while CVE-2022-2827 (CVSS score: 7.5) is a bug in the password reset feature that can be exploited to determine if an account with a specific username exists.
“[CVE-2022-2827] allows for pinpointing pre-existing users and does not lead into a shell but would provide an attacker a list of targets for brute-force or credential stuffing attacks,” the researchers explained.
The findings once again underscore the importance of securing the firmware supply chain and ensuring that BMC systems are not directly exposed to the internet.
“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” the company said.
The findings come as Binarly disclosed multiple high-impact vulnerabilities in AMI-based devices that could result in memory corruption and arbitrary code execution during early boot phases (i.e., a pre-EFI environment).
Earlier this May, Eclypsium also uncovered what’s called a “Pantsdown” BMC flaw impacting Quanta Cloud Technology (QCT) servers, a successful exploitation of which could grant attackers full control over the devices.