Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks
21.7.23 
Vulnerebility  The Hacker News
AMI MegaRAC BMC Software
Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware.

"These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions," Eclypsium researchers Vlad Babkin and Scott Scheferman said in a report shared with The Hacker News.

"They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system."

To make matters worse, the shortcomings could also be weaponized to drop persistent firmware implants that are immune to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce indefinite reboot loops.

"As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware and computing trust relies on, compromise becomes harder to detect and exponentially more complex to remediate," the researchers pointed out.

Eclypsium's findings are based on an analysis of the AMI firmware leaked in a ransomware attack carried out by the RansomExx crew targeting hardware-maker GIGABYTE in August 2021.

The vulnerabilities are the latest additions to a set of bugs affecting AMI MegaRAC BMCs that have been cumulatively named BMC&C, some of which were disclosed by the firmware security company in December 2022 (CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827) and January 2023 (CVE-2022-26872 and CVE-2022-40258).

The list of new flaws is as follows -

CVE-2023-34329 (CVSS score: 9.1) - Authentication bypass via HTTP header spoofing
CVE-2023-34330 (CVSS score: 8.2) - Code injection via dynamic Redfish extension interface
When chained together, the two bugs carry a combined severity score of 10.0, allowing an adversary to sidestep Redfish authentication and remotely execute arbitrary code on the BMC chip with the highest privileges. In addition, the aforementioned flaws could be strung together with CVE-2022-40258 to crack passwords for the admin accounts on the BMC chip.
It's worth pointing out that an attack of this nature could result in the installation of malware that could be used for conducting long-term cyber espionage while flying under the radar of security software, not to mention performing lateral movement and even destroy the CPU by power management tampering techniques like PMFault.

While there is no evidence that the flaws have been exploited in the wild, the popularity of MegaRAC BMC – a critical supply chain component found in millions of devices shipped by major vendors – makes it a lucrative target for threat actors looking to control every aspect of the targeted system.

"These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing," the researchers said. "In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services."

"As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use."