Firmware Flaws Could Spell 'Lights Out' for Servers

Five vulnerabilities in the baseboard management controller (BMC) firmware used in servers of 15 major vendors could give attackers the ability to remotely compromise the systems widely used in data centers and for cloud services.

The vulnerabilities, two of which were disclosed this week by hardware security firm Eclypsium, occur in system-on-chip (SoC) computing platforms that use AMI’s MegaRAC Baseboard Management Controller (BMC) software for remote management. The flaws could impact servers produced by at least 15 vendors, including AMD, Asus, ARM, Dell, EMC, Hewlett-Packard Enterprise, Huawei, Lenovo, and Nvidia.

Eclypsium disclosed three of the vulnerabilities in December, but withheld information on two additional flaws until this week in order to allow AMI more time to mitigate the issues.

Since the vulnerabilities can only be exploited if the servers are connected directly to the Internet, the extent of the vulnerabilities is hard to measure, says Nate Warfield, director of threat research and intelligence at Eclypsium.

“We really don’t know what the what the blast radius is on this, because while we know some of the platforms, we don’t have any details as to [how] prolific these things are,” he says. “You know, did they sell 100,000 of them? Did they sell 10 million of them? We just don’t know.”

Baseboard management controllers are typically a single chip — or system-on-chip (SoC) — installed on a motherboard to allow administrators to remotely manage servers with near total control. AMI’s MegaRAC is a collection of software based on the Open BMC firmware project, an open source project for developing and maintaining an accessible baseboard management controller firmware.

Many server makers rely on BMC software to allow administrators to take complete control of the server hardware at a low level, giving it access to “lights-out” features, the Eclypsium advisory stated. Because the software is widely used, the footprint of the vulnerable features is quite large.

"[V]ulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services," Eclypsium stated in its advisory. “As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.”

AMI is the latest baseboard management controller (BMC) software maker to have vulnerabilities found in their code. In 2022, Eclypsium also found vulnerabilities in Quanta Cloud Technology (QCT) servers that have found common use by cloud firms. And previous research by the company in 2020 found that the lack of signed firmware in laptops and servers could allow an attacker to install a Trojan horse to remote control the devices.

December Flaws Most Serious

The two latest flaws released on January 30 include two lower severity issues. The first vulnerability (CVE-2022-26872) gives an attacker the ability to reset a password if they can time the attack during a narrow window between when a one-time password is validated and when the new password is sent by the user. In the second security issue (CVE-2022-40258), the password file is hashed with a weak algorithm, Eclypsium stated.

Both issues are less severe than the three vulnerabilities disclosed in December, which include two vulnerabilities — a dangerous command in the BMC’s API (CVE-2022-40259) and a default credential (CVE-2022-40242) — that could allow simple remote code execution, Eclypsium stated in the advisory. The other vulnerability (CVE-2022-2827) allows an attacker to remotely enumerate usernames via the API.

The Redfish API replaces previous versions of the Intelligent Platform Management Interface (IPMI) in modern data centers, with support from major server vendors and the Open BMC project, according to Eclypsium.

Eclypsium conducted its analysis of the AMI software after the code was leaked to the Internet by a ransomware group. AMI is not thought to be the source of the leaked software code; rather, the code is a result of a third-party vendor being hit by ransomware, Warfield says.

“What we’ve discovered back in the summer was that somebody had leaked intellectual property for a bunch of technology companies onto the Internet,” he says. “And, as we were digging through it … trying to figure out what it was and who had it, we came across some of AMI’s intellectual property. So we kind of started digging into that to see what we could find.”

Patching Rate Unknown

AMI has issued patched software for all five vulnerabilities, and now the mitigation of the vulnerabilities is in the hands of server makers and their customers.

Already, many vendors — such as HPE, Intel, and Lenovo — have issued advisories to their customers. However, patching those servers will be up to the companies who have the servers deployed in their data centers.

Firmware patching tends to happen at a glacial rate, which should be a worry, says Warfield.

“The tricky part is the the time between the patches coming out and people actually applying them,” he says. “BMC is not something with, sort of, a Windows update mechanism, where you can say, 'Oh, I’ve got 100,000 servers that are affected. Let me just push this out to all of them.’”