MegaRAC flaws, IP leak impact multiple server brands

MegaRAC BMC software from American Megatrends, Inc. have a trio of serious security vulnerabilities that were discovered following an intellectual property leak.

Researchers discovered multiple vulnerabilities in a line of server motherboard controllers that affect a wide range of manufacturers.

The team at Eclypsium took credit for discovering and reporting vulnerabilities in American Megatrends' (AMI) MegaRAC baseband management controller (BMC) software, which affects multiple server vendors. The vulnerable components are used for remote administration of servers.

"The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking)," Eclypsium said in a blog post Monday.

According to Eclypsium, the vulnerabilities are present in MegaRAC, a server management platform for x86, ARM, and Power chips made by AMI. The flaws include a remote code execution (RCE) bug and elevation of privilege errors that would allow a threat actor to gain superuser rights on vulnerable servers.

In total, three CVEs have been issued for the vulnerabilities: CVE-2022-40259, a critical RCE flaw with a 9.9 CVSS; CVE-2022-40242, a high severity flaws involving default credentials; and CVE-2022-2827, a high-severity user enumeration bug. While the MegaRAC vulnerabilities are bad news for server manufacturers, the discovery process could spell even more trouble.

Eclypsium said it was aware in August of a potential leak of AMI intellectual property, which was posted to the internet. "After downloading and reviewing the data, it appeared legitimate, and since there was a chance others had accessed it the decision was made to look for vulnerabilities in case malicious actors were doing the same," the blog post said.

Because the AMI components are offered wholesale to server vendors, the vulnerabilities are spread across a wide array of brands. Eclypsium said that as many as 15 vendors, including the likes of Dell EMC, Qualcomm, HPE and Nvidia, use the AMI server management components.

Because there is an update from AMI to address the issue, the OEM server manufacturers will need to issue their own updates in turn. This also means that several cloud providers who utilize those brands in their data centers are vulnerable to attack.

"These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing," Eclypsium said in the blog post.

"In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services."

In a statement to TechTarget Editorial, Eclypsium director of intelligence and threat research Nate Warfield said that an attack would be carried out via server management tools and would only require that the threat actor have remote access to the vulnerable server.

"Attackers need remote access to the BMC. The vulnerabilities are trivial to exploit, and only one of the three requires some level of privilege," Warfield explained.

"Organizations with large server farms, data centers and potentially cloud and hosting providers are particularly vulnerable for this kind of exploit."

Eclypsium advised administrators to ensure their remote management interfaces (such as Redfish and IPMI) are secure and not exposed to the open internet as well as, when available, install server firmware updates.

Dig Deeper on Network security