Three vulnerabilities found in popular baseboard software

Three vulnerabilities have been found in a popular brand of baseboard software used by many of the world's leading server manufacturers. 

Security experts from Eclypsium Research disclosed CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827 — three vulnerabilities affecting the MegaRAC Baseboard Management Controller (BMC) software from American Megatrends, Inc. (AMI).

BMCs are independent computers within a server with their own independent power, firmware, memory, and networking stack. Eclypsium Research said BMCs are designed to provide administrators with near total and remote control over the servers they manage, meaning the vulnerabilities potentially affect a very large number of devices and “could enable attackers to gain control of or cause damage not only to devices but to data centers and cloud services.”

MegaRAC is considered one of the world’s leading providers of BMC remote management firmware and serves as a “foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world.”

The company did not respond to requests for comment, but the software is used to provide management capabilities for server manufacturers like AMD, Dell, Gigabyte, ARM, Asus, Hewlett-Packard Enterprise, Huawei, Lenovo, NVidia, Qualcomm and many others. 

“These vulnerabilities can pose serious risks in any case in which an attacker has access to an affected server’s BMC. As a security best practice, BMCs should not be directly exposed to the Internet and scans performed after the initial disclosure indicate that public exposure is relatively low compared to recent high-profile vulnerabilities in other infrastructure products,” the researchers said. 

“However, it is quite common to find BMCs that are exposed due to either misconfigurations or poor security hygiene. Additionally, these vulnerabilities could be exploited by an attacker that has gained initial access into a data center or administrative network.”

All three vulnerabilities have CVSS scores above 7.5, with CVE-2022-40259 carrying a critical 9.9 score. CVE-2022-40259 requires prior access to at least a low-privilege account and CVE-2022-40242 requires remote access to the device, according to the report. 

Several steps are needed to fully exploit CVE-2022-2827 but it eventually would provide an attacker a “list of targets for brute force or credential stuffing attacks.”

The researchers noted that data centers typically use dozens of the same devices, meaning any vulnerability would apply to a large number of devices and would have wide ranging effects on an entire data center. 

The vulnerabilities are also difficult to detect because most security systems tend to focus on operating systems and not the underlying firmware, the researchers found. 

“These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services,” they wrote. 

“As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.”

Attackers could gain remote control of compromised servers, deploy malware or ransomware, and cause physical damage to servers. 

The researchers said they discovered the bugs in August after becoming aware of an alleged leak of intellectual property from AMI. Eclypsium Research said it is unclear whether the vulnerabilities have been exploited. They worked with AMI and others on resolving the issues and said they reached out to other parties to determine the scope of impact. 

The researchers noted that in January, hackers attacked data centers through malware named iLOBleed and managed to wipe the disks of servers. 

Remediation for issues like this can often be difficult because of their location in the computing stack, the researchers said, explaining that it is “not optimized for patching at scale.”

“As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware relies on, compromise becomes harder to detect and exponentially more complex to remediate,” the researchers said. 

“While compromise of a server OS can be resolved with a wipe & reinstallation, firmware compromise has the potential to remain beyond reinstallation and even more drastic measures like hard drive replacement.”

UPDATE: AMI responded to the situation this week, releasing a statement that confirms the vulnerabilities.

After being notified of the issues, the company's Product Security Incident Response Team worked with CISA, CERT, and Eclypsium to remediate the bugs, according to AMI CISO Sam Cure.

"As part of our continuous process and key relationships with CISA and global research firms, we took proactive steps to remediate the identified vulnerabilities and promptly notified all affected customers. We have been in direct contact with our customers since the beginning of this process, and all customers were provided a patch to resolve these vulnerabilities. We are committed to keeping our customers informed and recommend they update their firmware with the latest updates," Cure said.

"At AMI, we will continue to work with CISA and research firms to monitor the security landscape, ensuring vulnerabilities are quickly identified, addressed, and reported. We are committed to maintaining the highest security standards for all our products to best protect our customers from potential risks."