Two recently discovered security flaws in the AMI MegaRAC Baseboard Management Controller (BMC) software present critical risks. These vulnerabilities, if exploited, enable remote attackers to gain control over vulnerable servers and deploy malware. The severity of these flaws ranges from high to critical, including unauthenticated remote code execution and unauthorized access with superuser privileges. Attackers can exploit these vulnerabilities through the Redfish remote management interface or from a compromised host operating system.
These weaknesses could be used for persistent firmware implants that remain unaffected by operating system reinstalls or hard drive replacements, damage motherboard components, induce overvolting attacks causing physical harm, or trigger continuous reboot loops. The Eclypsium researchers, Vlad Babkin and Scott Scheferman, emphasize that such attacks focus on lower-level embedded code, making detection difficult and remediation complex.
The findings are based on an analysis of the AMI firmware leaked during a ransomware attack on GIGABYTE in August 2021 by the RansomExx group. The vulnerabilities add to a series of bugs in AMI MegaRAC BMCs, collectively known as BMC&C. Some were previously disclosed in December 2022 and January 2023.
The new flaws include CVE-2023-34329, with a CVSS score of 9.1, allowing authentication bypass via HTTP header spoofing, and CVE-2023-34330, with a CVSS score of 8.2, enabling code injection via a dynamic Redfish extension interface. When combined, these bugs carry a severity score of 10.0, granting adversaries the ability to bypass Redfish authentication and execute arbitrary code on the BMC chip with the highest privileges.
These vulnerabilities pose significant risks to the technology supply chain and cloud computing. The widespread presence of MegaRAC BMC in devices from major vendors makes it a tempting target for attackers aiming to control all aspects of a targeted system. This threat extends to servers and hardware owned by organizations and those supporting cloud services they use.