Image: Bing Image Creator

Two new critical-severity vulnerabilities have been discovered in MegaRAC Baseboard Management Controller (BMC) software manufactured by hardware and software company American Megatrends International.

MegaRAC BMC provides administrators with “out of band” and “power off” remote system management capabilities, allowing them to troubleshoot servers as if they were physically in front of the devices.

The firmware is used by more than a dozen server manufacturers who supply equipment to many cloud service providers and data centers. Affected vendors include AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, ASRock, etc.

Eclypsium security researchers found the flaws (tracked as CVE-2023-34329 and CVE-2023-34330) after analyzing AMI source code stolen by ransomware gang RansomEXX after breaching the network of hardware giant GIGABYTE, one of AMI’s business partners.

Like BleepingComputer reportedRansomEXX threat attackers published the stolen files in August 2021 on their dark web data leak site.

Both security flaws allow attackers to bypass authentication or inject malicious code via Goldfish remote management interfaces exposed to remote access:

• CVE-2023-34329 – Authentication bypass via HTTP header spoofing (CVSS 3.0 base score of 9.9/10)
• CVE-2023-34330 – Code injection via Dynamic Redfish Extension interface (6.7/10 CVSS 3.0 base score)

By combining these vulnerabilities, a remote attacker with network access to the BMC management interface and lacking BMC credentials can achieve remote code execution on servers running vulnerable firmware.

This is accomplished by tricking the BMC into perceiving the HTTP request as coming from the internal interface. Therefore, the attacker can download and execute arbitrary code remotely, potentially even from the Internet, if the interface is exposed online.

Impact includes server bricking and infinite reboot loops

“The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implanting or freezing motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (firmware crash/surge), and indefinite reboot loops that a victim organization cannot interrupt,” Eclypsium said.

“We should also point out that such an implant can be extremely difficult to detect and extremely easy for any attacker to recreate as a single-line exploit.”

In December 2022 and January 2023, Eclypsium revealed five more MegaRAC BMC vulnerabilities (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258) that could be exploited to remotely hijack, brick, or infect compromised servers with malware.

Additionally, the two MegaRAC BMC firmware vulnerabilities disclosed today can be chained with the ones mentioned above.

Specifically, CVE-2022-40258, which involves weak password hashes for Redfish & API, could help attackers crack admin passwords for admin accounts on the BMC chip, making the attack even easier.

“We have seen no evidence that these vulnerabilities or our previously disclosed BMC&C vulnerabilities are being exploited in the wild,” Eclypsium said.

“However, because threat actors have access to the same source data, the risk of these vulnerabilities being weaponized is greatly increased.”