This week, Eclypsium Research published findings on critical vulnerabilities discovered in AMI MegaRAC baseboard management controller (BMC) firmware. Adding to the portfolio of “BMC&C” vulnerabilities that Eclypsium has been discovering and surfacing since late 2022, these two new vulnerabilities (tracked as CVE-2023-34329 and CVE-2023-34330) can be exploited and chained together to yield unauthenticated remote code execution on vulnerable targets. These vulnerabilities could impact many devices, as MegaRAC BMCs are popular across a number of manufacturers and appear in products from AMD, Asus, Dell EMC, Gigabyte, HPE, Lenovo, Nvidia, and more.
What is an A MI MegaRAC BMC?
MegaRAC baseboard management controllers (BMCs) provide “lights out” management capabilities for remotely monitoring and managing servers. Manufactured by American Megatrends International (AMI), MegaRAC BMCs include a service processor and network connection that operate separately from the server they are connected to. Modern MegaRAC BMC firmware includes support for the Redfish API.
What is the impact?
These two newly disclosed vulnerabilities involve the Redfish service running on the MegaRAC:
- Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329; CVSS score 9.1 – “critical”)
- Code injection via Dynamic Redfish Extension (CVE-2023-34330; CVSS score 8.2 – “high”)
CVE-2023-34329 can be exploited with specially crafted HTTP headers to trick the Redfish service into believing the request is coming from an interface that does not require authentication, such as USB0. On systems which have the No Auth option enabled, these spoofed headers will allow attackers to access and interact with any Redfish API endpoints.
CVE-2023-34330 can be exploited via an HTTP POST action to execute arbitrary code on the MegaRAC processor. While this code-execution-via-POST was an intentional design choice by AMI, it likely was intended for internal development only. However, it is enabled by default in vulnerable versions of the firmware, making it available to a broader audience.
Chaining exploitation of the two above vulnerabilities together can provide attackers with unauthenticated remote code execution and full control over a vulnerable MegaRAC target. Following successful exploitation, attackers can establish persistence, perform data exfiltration, perform lateral movement in the network, deploy malware, and more. Attackers can also perform a denial of service by forcing the server into a reboot loop or even bricking the system so it will no longer properly function.
Are updates available?
AMI has made patched firmware available in versions SPx_12.4 and SPx_13.2. Admins should update MegaRAC BMCs to the newer firmware as soon as possible.
Eclypsium Research also shared mitigations to help reduce the chance of a successful attack, including:
- Ensuring all remote server management network interfaces are NOT exposed externally and operate on networks dedicated to management traffic only.
- Ensuring access to remote server management network interfaces is restricted to administrative users via ACLs or firewalls per Zero Trust Architecture principles.
Additionally, U.S. government agencies and contractors legally required to comply with CISA’s Binding Operational Directive 23-02 should note required guidance to follow (similar to the aforementioned mitigation steps).
How do I find potentially vulnerable MegaRAC BMCs with runZero?
Results from the above query should be triaged to verify if those assets are running updated firmware versions.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.