Cybersecurity researchers from Eclypsium have uncovered two new critical vulnerabilities in the MegaRAC Baseboard Management Controller (BMC) software, designed by American Megatrends International (AMI). The firm’s findings suggest that these vulnerabilities could allow malicious actors to remotely gain control of millions of computers.
BMCs are integral components in managing extensive server networks, enabling system administrators to remotely supervise and manipulate them, even when offline. This feature, often referred to as ‘lights out’ system management, offers significant control over multiple servers simultaneously, making them an attractive target for potential hackers.
The two new vulnerabilities found in AMI’s BMC firmware could allow hackers to exploit these controls. The extent of the security risk is magnified by AMI’s reach, with its firmware installed in numerous devices from major tech players such as Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.
The vulnerabilities, designated as CVE-2023-34329 and CVE-2023-34330, include a critical authentication bypass issue that can be manipulated by spoofing HTTP headers and a code injection flaw. These vulnerabilities were identified through an analysis of the AMI source code leaked in the 2021 Gigabyte data breach.
Eclypsium’s researchers have highlighted the significant risk these vulnerabilities pose to organizations. The potential for remote access and control by hackers could enable the installation or removal of any software. A theoretical scenario presented by the researchers shows the extent of potential damage. In this instance, an attacker could continuously shut down an affected machine, creating an inaccessible loop for legitimate users and potentially leading to company extortion.
Moreover, the researchers warn of the possibility of attackers leveraging the system’s keyboard/video/mouse (KVM) functionality to monitor users and control machines covertly. There is also the potential threat of meddling with the system’s power management, which could render entire server fleets inoperable.
Currently, there are no known instances of these vulnerabilities being exploited. However, Eclypsium has published proof-of-concept exploits illustrating the feasibility of such attacks on the affected systems. The discovery underscores the importance of rigorous cybersecurity measures in the face of evolving threats.
