Three vulnerabilities in US Megatrends MegaRAC Baseboard Management Controller (BMC) software affect server equipment used by many cloud service providers and data centers.

The flaws were discovered by Eclypsium in August 2022 and could allow attackers, under certain conditions, to execute code, bypass authentication and perform user enumeration.

The researchers discovered the flaws after reviewing leaked proprietary code from American Megatrends, specifically the MegaRAC BMC firmware.

MegaRAC BMC is a complete “out of band” and “off” remote system management solution, allowing administrators to troubleshoot servers remotely as if they were standing in front of the device.

MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

Vulnerability details

The three vulnerabilities discovered by Eclypsium and reported to American Megatrends and affected vendors are:

• CVE-2022-40259: Fault in executing arbitrary code via the Redfish API due to incorrect exposure of commands to the user. (CVSS v3.1 score: 9.9 “critical”)
• CVE-2022-40242: Default credentials for the sysadmin user, allowing attackers to establish an administrative shell. (CVSS v3.1 score: 8.3 “high”)
• CVE-2022-2827: request manipulation flaw allowing an attacker to enumerate usernames and determine if an account exists. (CVSS v3.1 score: 7.5 “high”)

The most severe of the three flaws, CVE-2022-40259, requires prior access to at least one low-privileged account to perform the API callback.

“The only complication is that the attack is in the path parameter, but it’s not URL-decoded by the framework, so the exploit needs to be specially crafted to be both URL-valid and command-valid. bash shell,” says Eclypisum.

For the exploitation of CVE-2022-40242, the only prerequisite for the attacker is to have remote access to the device.

Impact

The first two flaws are very serious because they allow attackers to access an administrative shell without requiring additional escalation.

The vulnerabilities could lead to data manipulation, data breaches, service outages, business interruptions, and more. if they are successfully exploited.

The third flaw does not have a significant direct impact on security, because knowing which accounts exist on the target is not enough to cause damage.

However, this would open the door to brute-forcing passwords or performing credential stuffing attacks.

“As data centers tend to standardize on specific hardware platforms, any vulnerability at the BMC level would most likely apply to a large number of devices and could potentially affect an entire data center. and the services it provides”, comments Eclypsium in the report.

It is recommended that system administrators disable remote administration options and add remote authentication steps where possible.

Additionally, administrators should minimize external exposure of server management interfaces like Redfish and ensure that the latest available firmware updates are installed on all systems.