Cybersecurity researchers from Eclypsium have discovered two critical vulnerabilities in the AMI MegaRAC Baseboard Management Controller (BMC) software.
The software is designed to provide IT teams with full access to cloud center servers, allowing them to reinstall operating systems, manage apps, and manage the endpoints even when they’re turned off. In industry slang, the software allows for “out-of-band” and “lights-out” remote system management.
The two flaws are tracked as CVE-2023-34329 (authentication bypass via HTTP header spoofing) with a 9.9 severity score, and CVE-2023-34330 (code injection via Dynamic Redfish Extension interface) with an 8.2 severity score. By chaining these vulnerabilities, threat actors could use the Redfish remote management interface and gain remote code execution capabilities on vulnerable servers. Given the tool’s popularity, this could mean millions of servers, as the vulnerable firmware is used by some of the world’s greatest server manufacturers that service high-profile cloud service and data center providers: AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, HPE, Huawei, and more.
The destructive potential is quite extensive, the researchers said, as threat actors could gain access to sensitive data, install ransomware, trojans, or even brick the servers by putting them in an unstoppable neverending reboot loop.
"We also need to emphasize that such an implant can be extremely hard to detect, and is extremely easy to recreate for any attacker in the form of a one-line exploit," the researchers warned in their writeup.
A patch has since been made available by AMI, who advised its customers to apply it immediately, as that is the best way to protect against potential compromise.
Analysis: Why does it matter?
The flaws matter due to their enormous destructive potential. As these are found in a supplier of hardware components, they can trickle down to many cloud service providers, affecting countless organizations. Vulnerabilities such as these two are equal to hitting the motherlode of supply chain attacks.
It all started roughly two years ago when a threat actor going by the name of RansomEXX compromised the endpoints belonging to the computer hardware giant GIGABYTE. The crooks stole more than 100 gigabytes of sensitive data, including information belonging to Intel, AMD, and, among others - AMI. The data was subsequently leaked to the dark web, where it was picked up by cybersecurity researchers from Eclypsium (as well as others, and possibly - many malicious actors).
The researchers uncovered two zero-days that had been lurking among the data for years. It includes using the Redfish remote management interface to gain remote code execution capabilities. Redfish, Ars Technica explains in its writeup, as a successor to traditional IPMI providers, and offers an API standard to manage server infrastructure and other infrastructure needed for today’s data centers. It’s supported by practically all server and infrastructure vendors and the OpenBMC firmware project.
The flaws are found in BMCs - Baseboard Management Controller software. These grant administrators “god mode” status over the servers they manage. As per Ars Technica, AMI is the leading provider of BMCs and BMC firmware and services a wide range of hardware vendors and cloud service providers, including the biggest household names.
The researchers also added that after analyzing publicly available source code, they were able to find the vulnerabilities and write malware, stating that any malicious actor out there could do the same. Even if they had no access to the source code, they could still identify the flaws by decompiling MBC firmware images. The good news is that there’s still no evidence anyone’s done just that.
What have others said about the flaws?
For HD Moore, the CTO and co-founder at runZero, it’s now pivotal that potentially affected customers patch their systems immediately: “The attack chain identified by Eclypsium allows a remote attacker to completely and possibly permanently compromise vulnerable MegaRAC BMCs,” he said. “This attack would be 100% reliable and difficult to detect after the fact.”
He added that updating flawed AMI firmware shouldn’t be too troublesome if environments either have automated their patching, or if they have configured BMC-enabled ethernets, used for out-of-band administration, to use a dedicated network.
While Twitter users were generally quiet on the news, a user named Secure ICS OT, which tweets ICS and ICS security-related tweets, commented: “Laughs in on-premise isolated network,” suggesting that’s the best way to stay secure. On Reddit, users were more talkative, with one user downplaying the importance of the findings: “This isn't as bad as it sounds. How many places have their BMC open to the net? If they have access then they are already on your network anyway and you have bigger issues,” they said.
“I would assume most data centers have BMCs, iDRACs, lifecycle controllers, etc on a management VLAN, so they have some level of protection,” another user added. “On the other hand, there’s the 1.8 bajillion small businesses running one Dell T450 on 192.168.1.x.”
Go deeper
If you want to learn more about the flaws, make sure to read our original article on the GIGABYTE data breach, as well as our explainer on all-things ransomware. Then make sure to read our in-depth guide on best ransomware protection, and best firewalls.