AMI MegaRAC Baseboard Management Controller (BMC) software is used by system administrators for remote access to server hardware. A couple of months ago, security experts found three serious vulnerabilities in it. Now, two more vulnerabilities have been found.
Firmware security company Eclypsium said American Megatrends has been aware of the problem for a long time. They have decided to make the vulnerabilities public only now to give the company’s engineers more time to fix them.
The vulnerabilities can be used as a launching pad for cyber-attacks because they allow remote code execution and unauthorized access to devices with super-user privileges.
The essence of the vulnerabilities is as follows:
CVE-2022–26872 (CVSS score: 8.3) — password reset hijacking via API;
CVE-2022–40258 (CVSS score: 5.3) — weak Redfish and API password hashes.
MegaRAC was also found to use the MD5 hashing algorithm with static salt for older devices and SHA-512 with dynamic salt for newer devices. Despite the fact that “password salting” is a fairly robust security measure, passwords and hashes can still be picked up by hackers exploiting the above vulnerabilities.
CVE-2022–26872 and CVE-2022–40258 complement the three other vulnerabilities discovered in December, including CVE-2022–40259 (CVSS score: 9.9), CVE-2022–40242 (CVSS score: 8.3) and CVE-2022–2827 (CVSS score: 7.5).
It is worth noting that these vulnerabilities can only be exploited in scenarios where BMCs are connected to the Internet, or in cases where the attacker has already gained initial access to the data center or administrative network by other means.
Gigabyte, Hewlett Packard Enterprise, Intel and Lenovo have released updates to address security flaws in their devices. NVIDIA is expected to release a patch in May 2023.
“The consequences of exploiting these vulnerabilities include remote management of compromised servers, remote deployment of malware, ransomware and embedded software implants, and physical server damage,” Eclypsium noted.