Two additional supply chain security flaws were revealed in the AMI MegaRAC Baseboard Management Controller (BMC) software. This comes about two months after three security vulnerabilities in the same product came to light.
Firmware security firm Eclypsium said the two drawbacks had been put on hold so far to give AMI additional time to design appropriate mitigations.
Issues are tracked together as BMC&Cwhich can act as a springboard for cyberattacks, allowing threat actors to remotely execute code and gain unauthorized access to devices with superuser privileges.
The two new flaws in question are:
- CVE-2022-26872 (CVSS score: 8.3) – password reset interception via API
- CVE-2022-40258 (CVSS score: 5.3) – Weak password hashes for Redfish and APIs
Specifically, MegaRAC has been found to use the MD5 hashing algorithm with a global salt on older devices or SHA-512 with a per-user salt on newer appliances, allowing attackers to crack passwords. There is a possibility.
CVE-2022-26872, on the other hand, leverages HTTP APIs to trick users into resetting their passwords with a social engineering attack, setting passwords of the attacker’s choosing.
CVE-2022-26872 and CVE-2022-40258 were published in December, including CVE-2022-40259 (CVSS score: 9.9), CVE-2022-40242 (CVSS score: 8.3), and CVE-2022- This is in addition to the three other vulnerabilities identified. 2827 (CVSS score: 7.5).
It’s worth pointing out that the vulnerability can only be exploited in scenarios where the BMC is exposed to the internet, or where the attacker has already obtained initial access to the data center or management network through other means. .
BMC&C’s blast radius is currently unknown, but Eclypsium says it is working with AMI and other stakeholders to identify the range of affected products and services.
Gigabyte, Hewlett Packard Enterprise, Intel, and Lenovo have all released updates to address security flaws in their devices. NVIDIA plans to ship a fix in May 2023.
“The consequences of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, embedding ransomware and firmware, and physical damage (bricking) of servers,” Eclypsium said. said.
