How to find MegaRAC BMCs

This week, Eclypsium Research published findings on critical vulnerabilities discovered in AMI MegaRAC baseboard management controller (BMC) firmware. Adding to the portfolio of “BMC&C” vulnerabilities that Eclypsium has been discovering and surfacing since late 2022, these two new vulnerabilities (tracked as CVE-2023-34329 and CVE-2023-34330) can be exploited and chained together to yield unauthenticated remote code execution on vulnerable targets. These vulnerabilities could impact many devices, as MegaRAC BMCs are popular across a number of manufacturers and appear in products from AMD, Asus, Dell EMC, Gigabyte, HPE, Lenovo, Nvidia, and more. 

What is an A MI MegaRAC BMC?

MegaRAC baseboard management controllers (BMCs) provide “lights out” management capabilities for remotely monitoring and managing servers. Manufactured by American Megatrends International (AMI), MegaRAC BMCs include a service processor and network connection that operate separately from the server they are connected to. Modern MegaRAC BMC firmware includes support for the Redfish API.

What is the impact?

These two newly disclosed vulnerabilities involve the Redfish service running on the MegaRAC:

• Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329; CVSS score 9.1 – “critical”)
• Code injection via Dynamic Redfish Extension (CVE-2023-34330; CVSS score 8.2 – “high”)

CVE-2023-34329 can be exploited with specially crafted HTTP headers to trick the Redfish service into believing the request is coming from an interface that does not require authentication, such as USB0. On systems which have the No Auth option enabled, these spoofed headers will allow attackers to access and interact with any Redfish API endpoints.

CVE-2023-34330 can be exploited via an HTTP POST action to execute arbitrary code on the MegaRAC processor. While this code-execution-via-POST was an intentional design choice by AMI, it likely was intended for internal development only. However, it is enabled by default in vulnerable versions of the firmware, making it available to a broader audience.

Chaining exploitation of the two above vulnerabilities together can provide attackers with unauthenticated remote code execution and full control over a vulnerable MegaRAC target. Following successful exploitation, attackers can establish persistence, perform data exfiltration, perform lateral movement in the network, deploy malware, and more. Attackers can also perform a denial of service by forcing the server into a reboot loop or even bricking the system so it will no longer properly function.

Are updates available?

AMI has made patched firmware available in versions SPx_12.4 and SPx_13.2. Admins should update MegaRAC BMCs to the newer firmware as soon as possible.

Eclypsium Research also shared mitigations to help reduce the chance of a successful attack, including:

• Ensuring all remote server management network interfaces are NOT exposed externally and operate on networks dedicated to management traffic only.
• Ensuring access to remote server management network interfaces is restricted to administrative users via ACLs or firewalls per Zero Trust Architecture principles.

Additionally, U.S. government agencies and contractors legally required to comply with CISA’s Binding Operational Directive 23-02 should note required guidance to follow (similar to the aforementioned mitigation steps).

How do I find potentially vulnerable MegaRAC BMCs with runZero?

From the Asset inventory, use the following prebuilt query to locate MegaRAC BMC instances in your network:

hw:megarac

Results from the above query should be triaged to verify if those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.