Security
Headlines
HeadlinesLatestCVEs

Headline

Firmware Flaws Could Spell 'Lights Out' for Servers

Five vulnerabilities in the baseboard management controller (BMC) software used by 15 major vendors could allow remote code execution if attackers gain network access.

DARKReading
#vulnerability#windows#intel#rce#lenovo#amd#asus#huawei#dell

Five vulnerabilities in the baseboard management controller (BMC) firmware used in servers of 15 major vendors could give attackers the ability to remotely compromise the systems widely used in data centers and for cloud services.

The vulnerabilities, two of which were disclosed this week by hardware security firm Eclypsium, occur in system-on-chip (SoC) computing platforms that use AMI’s MegaRAC Baseboard Management Controller (BMC) software for remote management. The flaws could impact servers produced by at least 15 vendors, including AMD, Asus, ARM, Dell, EMC, Hewlett-Packard Enterprise, Huawei, Lenovo, and Nvidia.

Eclypsium disclosed three of the vulnerabilities in December, but withheld information on two additional flaws until this week in order to allow AMI more time to mitigate the issues.

Since the vulnerabilities can only be exploited if the servers are connected directly to the Internet, the extent of the vulnerabilities is hard to measure, says Nate Warfield, director of threat research and intelligence at Eclypsium.

“We really don’t know what the what the blast radius is on this, because while we know some of the platforms, we don’t have any details as to [how] prolific these things are,” he says. “You know, did they sell 100,000 of them? Did they sell 10 million of them? We just don’t know.”

Baseboard management controllers are typically a single chip — or system-on-chip (SoC) — installed on a motherboard to allow administrators to remotely manage servers with near total control. AMI’s MegaRAC is a collection of software based on the Open BMC firmware project, an open source project for developing and maintaining an accessible baseboard management controller firmware.

Many server makers rely on BMC software to allow administrators to take complete control of the server hardware at a low level, giving it access to “lights-out” features, the Eclypsium advisory stated. Because the software is widely used, the footprint of the vulnerable features is quite large.

"[V]ulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services," Eclypsium stated in its advisory. “As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.”

AMI is the latest baseboard management controller (BMC) software maker to have vulnerabilities found in their code. In 2022, Eclypsium also found vulnerabilities in Quanta Cloud Technology (QCT) servers that have found common use by cloud firms. And previous research by the company in 2020 found that the lack of signed firmware in laptops and servers could allow an attacker to install a Trojan horse to remote control the devices.

December Flaws Most Serious

The two latest flaws released on January 30 include two lower severity issues. The first vulnerability (CVE-2022-26872) gives an attacker the ability to reset a password if they can time the attack during a narrow window between when a one-time password is validated and when the new password is sent by the user. In the second security issue (CVE-2022-40258), the password file is hashed with a weak algorithm, Eclypsium stated.

Both issues are less severe than the three vulnerabilities disclosed in December, which include two vulnerabilities — a dangerous command in the BMC’s API (CVE-2022-40259) and a default credential (CVE-2022-40242) — that could allow simple remote code execution, Eclypsium stated in the advisory. The other vulnerability (CVE-2022-2827) allows an attacker to remotely enumerate usernames via the API.

The Redfish API replaces previous versions of the Intelligent Platform Management Interface (IPMI) in modern data centers, with support from major server vendors and the Open BMC project, according to Eclypsium.

Eclypsium conducted its analysis of the AMI software after the code was leaked to the Internet by a ransomware group. AMI is not thought to be the source of the leaked software code; rather, the code is a result of a third-party vendor being hit by ransomware, Warfield says.

“What we’ve discovered back in the summer was that somebody had leaked intellectual property for a bunch of technology companies onto the Internet,” he says. “And, as we were digging through it … trying to figure out what it was and who had it, we came across some of AMI’s intellectual property. So we kind of started digging into that to see what we could find.”

Patching Rate Unknown

AMI has issued patched software for all five vulnerabilities, and now the mitigation of the vulnerabilities is in the hands of server makers and their customers.

Already, many vendors — such as HPE, Intel, and Lenovo — have issued advisories to their customers. However, patching those servers will be up to the companies who have the servers deployed in their data centers.

Firmware patching tends to happen at a glacial rate, which should be a worry, says Warfield.

“The tricky part is the the time between the patches coming out and people actually applying them,” he says. “BMC is not something with, sort of, a Windows update mechanism, where you can say, 'Oh, I’ve got 100,000 servers that are affected. Let me just push this out to all of them.’”

Related news

Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks

Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware. "These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser

Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. The issues, collectively

CVE-2022-26872

AMI Megarac Password reset interception via API

CVE-2022-40259

AMI MegaRAC Redfish Arbitrary Code Execution

CVE-2022-2827

AMI MegaRAC User Enumeration Vulnerability

CVE-2022-40259

AMI MegaRAC Redfish Arbitrary Code Execution

CVE-2022-40242

MegaRAC Default Credentials Vulnerability

New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers. "The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),"

New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers. "The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),"

New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers. "The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),"

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel