Servers from AMD, ARM and HPE are affected by severe AMI MegaRAC flaws

There are three vulnerabilities in American Megatrends MegaRAC Baseboard Management Controller, (BMC), software that impact the server equipment in many cloud services and data centers providers.

Eclypsium discovered the flaws in August 2022. They could be used to allow attackers, subject to certain conditions, execute code, bypass authentication and perform user numbering.

After examining the MegaRAC BMC firmware, which was leaked by American Megatrends’ proprietary code, researchers found the flaws.

MegaRAC BMC allows for remote “out-of–band” or “lights out” system management. Administrators can remotely troubleshoot servers as though they were right in front of them.

MegaRAC BMC firmware can be found in at least 15 different server makers, such as AMD, Ampere Computing and ASRock.

Details about vulnerability

These are three potential vulnerabilities that Eclypsium discovered and reported to American Megatrends.

• CVE-202-20259: An arbitrary code execution flaw using Redfish API. This is due to incorrect exposure of commands to users. (CVSS v3.1 score: 9.9 “critical”)
• CVE-202-20242 Default credentials of sysadmin users, which allows attackers to create administrative shells. (CVSS v3.1 score: 8.3 “high”)
• CVE-2022–2827 : A request manipulation flaw that allows an attacker to determine whether an account is active and enumerate usernames. (CVSS v3.1 score: 7.5 “high”)

For CVE-20222-40259 to be able to call back APIs from the most serious flaw, it requires access to at the very least a low-privileged account.

Eclypisum says that the only problem is that the attack is in the path parameter. However, it cannot be URLdecoded by framework. Therefore, the exploit must be created specifically to be both valid per URL as well as valid for bash shell commands.

CVE-2022-40242 is only possible with remote access.

Impact

These flaws can be very serious because attackers have access to administrative shells without needing further escalation.

If exploited properly, the vulnerabilities can lead to data manipulation and data breaches as well as service outages, business interruptions, and other problems.

This third flaw is not likely to have any significant security implications. Knowing which accounts are on target doesn’t suffice to do damage.

It would however open up the possibility of brute-forcing passwords and credential-stuffing attack.

“Data centers are more likely to use specific platforms for their hardware, so any BMC-level vulnerability could most likely affect large numbers of devices. This could impact an entire data centre and all its services,” Comments Eclypsium.

Administrators should disable remote administration and include remote authentication options wherever possible.

Administrators must also ensure minimal external exposure to server management interfaces such as Redfish, and that all devices have the most recent firmware updates.