Supply chain vulnerabilities put server ecosystem at risk
Eclypsium Research has identified and reported three vulnerabilities in American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software.
This is used by AMD, Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan and could allow remote code execution on vulnerable servers.
“The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),” Eclypsium said in a blog post.
Eclypsium’s AMI and BMC research resulted in the discovery of three vulnerabilities, which the company refers to as BMC&C. The flaws can be dangerous both to personal devices, and cloud services and data centers services.
The most serious vulnerability is CVE-2022-40259 (CVSS score:9.9), an arbitrary code execution via Redfish API that requires the intruder to have a minimum level of access on the device. While CVE-2022-40242(CVSS score:8.3) has a connection with a hash in /etc/shadow for the sysadmin user, and CVE-2022-2827 (CVSS 7.5) enables hackers to check for the existence of user profiles by generating a random list of possible account names.
Attackers with access to remote management interfaces (IPMI) such as Redfish can exploit the newly discovered issues, potentially allowing adversaries to gain control of the systems and jeopardize cloud infrastructures.
Nate Warfield, Eclypsium’s director of intelligence and threat research, stated that the attack is carried out using server management tools and that the threat actor only needs remote access to the vulnerable server.
“Attackers need remote access to the BMC. The vulnerabilities are trivial to exploit, and only one of the three requires some level of privilege,” Warfield explained. “Organizations with large server farms, data centers and potentially cloud and hosting providers are particularly vulnerable for this kind of exploit.”
“These vulnerabilities could be exploited by an attacker that has gained initial access into a data center or administrative network. As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” Eclypsium said.
The sources for this piece include an article in SCMedia.