American Megatrends International’s MegaRAC Baseboard Management Controller (BMC) software, used by multiple server manufacturers, including Dell EMC, Lenovo, and more, has been found to have two critical severity vulnerabilities (CVE-2023-34329 and CVE-2023-34330).
Security researchers from Eclypsium discovered the flaws after analyzing AMI source code stolen by the RansomEXX ransomware gang from GIGABYTE’s network, one of AMI’s business partners.
These vulnerabilities allow attackers to bypass authentication and inject malicious code via Redfish remote management interfaces, potentially leading to remote code execution and server bricking, putting cloud service and data center providers at risk.
By exploiting the vulnerabilities, a remote attacker with network access to the BMC management interface can gain remote code execution on servers with vulnerable firmware, even from the Internet if the interface is exposed online. The impact of these flaws includes remote control of compromised servers, remote deployment of malware, firmware implanting, bricking motherboard components, and causing indefinite reboot loops that victim organizations cannot interrupt.
Eclypsium warns that attackers could use this one-line exploit to create implants that are extremely hard to detect. In addition to the two newly discovered vulnerabilities, Eclypsium previously disclosed five other MegaRAC BMC flaws in December 2022 and January 2023, which could be used to hijack, brick, or infect servers with malware.
Eclypsium also highlights that the new MegaRAC BMC firmware vulnerabilities can be chained with the previously disclosed ones. Specifically, CVE-2022-40258, involving weak password hashes for Redfish & API, makes it easier for attackers to crack administrator passwords for BMC admin accounts, adding to the severity of the attack.
While there is no current evidence of exploitation in the wild, the fact that threat actors have access to the stolen source data increases the risk of these vulnerabilities being weaponized.
Cloud service and data center providers are urged to update their MegaRAC BMC software to the latest patched version to protect against potential cyberattacks exploiting these critical flaws.
