Firmware and hardware security company Eclypsium has disclosed information on two new vulnerabilities found by its researchers in the American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software.
Eclypsium disclosed other flaws discovered as part of the same research project in December 2022. The analysis focused on information leaked as a result of a ransomware attack launched in 2021 against motherboard maker Gigabyte, a supply chain partner of AMI. The vulnerabilities discovered by the cybersecurity firm in the AMI BMC are collectively tracked as BMC&C.
The BMC software enables administrators to remotely monitor and control a device, without the need to go through the operating system or applications running on it. It can be used to update firmware, install operating systems, and analyze logs. While these features make BMC very useful, they can also make it a tempting target for threat actors.
The BMC made by AMI is present in millions of devices worldwide as it’s used in the products of major companies such as Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.
The new vulnerabilities disclosed by Eclypsium on Thursday are CVE-2023-34329, a critical authentication bypass issue that can be exploited by spoofing HTTP headers, and CVE-2023-34330, a code injection flaw.
“When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it,” Eclypsium explained.
Similar to the previously disclosed vulnerabilities, these new flaws can pose a significant risk to organizations. An attacker who has gained access to the targeted server’s BMC can conduct a wide range of activities, and the impact can be significant, particularly in the case of data centers and cloud environments.
In one theoretical scenario described by Eclypsium, an attacker leverages existing BMC functionality to create a continuous shutdown loop on the host and prevent legitimate users from accessing it. These types of attacks are difficult to detect and address, and researchers warn that the method could be used to extort a targeted organization.
“When this happens to a small number of machines, the impact may be limited in scale, however should the same vulnerabilities be exploited across an entire BMC management segment and affect hundreds or thousands of devices at once, the impact can be catastrophic to operations, and result in indefinite downtime with no ability to recover,” the security firm said.
Access to the BMC also allows an attacker to stealthily access KVM (keyboard/video/mouse) functionality, enabling them not only to closely monitor legitimate users but also conduct activities on their behalf using KVM inputs.
A hacker can also cause physical destruction through power management tampering, by changing CPU voltages and permanently bricking them.
BMC access can also be used for lateral movement, including to other BMCs, network devices, and even to Active Directory.
While these vulnerabilities could pose a significant risk to millions of systems, Eclypsium is currently not aware of in-the-wild exploitation. Proof-of-concept (PoC) exploits have not been made public, but sophisticated threat actors could find the flaws on their own by looking at the same leaked information that the security firm analyzed.