Two new vulnerabilities have been found in a popular brand of baseboard software used in millions of devices worldwide.

Researchers at the supply chain security firm Eclypsium said on Friday they discovered the vulnerabilities — which affect American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software — earlier this year and worked with the company to resolve the issues. The tools underpin cloud computing and are widely used by many of the world’s biggest technology providers.

AMI is one of the biggest providers of BMC technology, which is designed to give administrators significant control over the servers they manage. The vulnerabilities could “enable attackers to gain control of or cause damage not only to devices but to data centers and cloud service infrastructure.”

AMI did not respond to multiple requests for comment but released advisories for the issues last week. CVE-2023-34329 carries a vulnerability severity score of 9.1 out of 10 while CVE-2023-34330 has a score of 8.2.

Eclypsium researchers explained that the vulnerabilities can be exploited by any local or remote attacker having access to the Redfish management interface, a tool used to organize hardware. When chained together, the vulnerabilities have a severity score of 10, according to Eclypsium.

The researchers noted that their investigation came about as a result of information leaked in a 2021 ransomware attack on Taiwanese computer hardware vendor Gigabyte. The researchers said they were notified in August 2022 that the ransomware attack leaked AMI source code, as Gigabyte is a supply chain partner of AMI. The leak “purportedly contained sensitive IP under NDA from AMD [Advanced Micro Devices], Intel, and AMI.”

After examining the stolen data, Eclypsium confirmed that it was legitimate and began to look through it for vulnerabilities, noting that the information was now out in the open and malicious actors were likely doing the same.

“This is significant because it means that threat actors have access to the same source code we used in our research, making it a straightforward exercise to find these and other vulnerabilities,” they said.

The vulnerabilities would give attackers remote control over compromised servers, allowing them to remotely deploy malware, ransomware and more. Hackers could also harm motherboard components by causing physical damage to servers or creating an infinite loop of reboots that could not be stopped by organizations.

They added that in particularly disruptive attacks, hackers could “leverage the often homogeneous environments in data centers to potentially send malicious commands to every other BMC on the same management segment, forcing all devices to continually reboot in such a way that victim operators are unable to stop the behavior.”

In the most extreme cases theorized by the researchers, hackers could create an “indefinite, unrecoverable downtime” that would necessitate entirely new devices. The researchers noted that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published security guidelines specifically for BMCs as part of their Cross-Sector Cybersecurity Performance Goals initiative.

CISA released the advisory in response to an increasing number of attacks on data centers that have caused significant impact due to their effect on third party organizations. MegaRAC BMC is a “critical supply chain component found in millions of devices worldwide and used by multiple top-tier manufacturers to deliver ‘lights-out’ management for servers,” the researchers added.

“Given one of these vulnerabilities doesn’t even require authentication, there is even greater urgency to address them,” Eclypsium said.

“The post-exploit impact potential for data centers, hyperscale environments and critical servers can result in long term persistence or disruptive/destructive scenarios on multiple devices across a single environment, or multiple environments exposed to the same vulnerabilities and threat actors able to exploit them.”

The researchers outlined multiple exploitation scenarios, noting that one of the most likely is an “infinite shutdown loop” where hackers use the vulnerabilities to force devices to keep shutting down endlessly while blocking administrators from stopping the process.

Hackers would then be able to extort factory owners because the BMC is “normally the last line of resort for administrators to restore a downed system.” Attackers could also conduct long-term espionage operations, using the vulnerabilities to monitor actions taken by administrators.

In one scenario, hackers could use malware to effectively fry devices, tampering with power management to destroy objects.

Difficult to remediate

Eclypsium acknowledged that firmware vulnerabilities can be difficult to remediate because they are often hard to patch at scale because they are often embedded deep within devices. In some situations, these vulnerabilities can impact hundreds of thousands, possibly millions of systems, they noted. Unlike software issues, devices can be physically destroyed or rendered permanently inoperable due to compromise.

The security company said it has been working with AMI and other parties who use the products to resolve the issues, including several unnamed original equipment manufacturer vendors, affected IT supply chain parties, and large cloud infrastructure providers.

There is currently no evidence that the vulnerabilities have been exploited, but the researchers noted that the leaked source code was on the RansomEXX ransomware gang’s leak site for more than a year, giving cybercriminals and nation states ample time to pore over it.

The researchers added that more companies need to consider the risks that come with using products from major IT supply chain cogs that have dealt with ransomware attacks and data leaks in recent months, like Western Digital, MSI and Acer.

“A single breach can expose the secrets of many upstream and downstream partners. For example, AMI was not the original victim of the ransomware attack and subsequent leak, but instead had their source code leaked due to an attack on a supply chain partner,” they explained.

“Source code leaks in the IT supply chain tend to have a long tail in terms of impact. As in this case, ongoing analysis often reveals more vulnerabilities. This makes it critical for organizations to patch and closely monitor any assets and components affected by incidents targeting the IT supply chain.”

One issue is that many endpoint detection or antivirus products focus on operating systems and not the underlying firmware, making it difficult for defenders to protect against attacks involving the vulnerabilities.

The researchers urged organizations to remove the BMC interface from the internet, an act mandated by CISA for U.S. government agencies. Customers should also consult their vendors on the best way forward.

Eclypsium discovered several other BMC vulnerabilities in December.