Two additional security flaws were revealed in the AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow an attacker to remotely take over a vulnerable server and deploy malware.
In a report shared with The Hacker News, Eclypsium researchers Vlad Babkin and Scott Scheferman said, “These new vulnerabilities could lead to unauthenticated remote code execution and unauthorized access with superuser privileges. “The severity ranged from high to critical, such as unauthorized device access.”
“They can be exploited by remote attackers accessing the Redfish remote management interface or from a compromised host operating system.”
Worse yet, this shortcoming is that operating system reinstalls and hard drive replacements, dropping permanent firmware implants that are immune to brick motherboard components, overvoltage attacks that cause physical damage, and indefinite reinstallation. It can also be weaponized to cause boot loops.
“As attackers shift their focus from user-facing operating systems to the low-level embedded code upon which hardware and computing trust relies, breaches become harder to detect and exponentially more complex to remediate. ’” the researchers noted.
This vulnerability is the latest addition to a series of bugs affecting AMI MegaRAC BMCs, which are named cumulatively. BMC&C, some of which were filed by firmware security companies in December 2022 (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827) and February 2023 (CVE-2022-26872 and CVE-2022-40258) Published by .
Here is the list of new defects:
- CVE-2023-34329 (CVSS Score: 9.9) – Authentication Bypass with HTTP Header Spoofing
- CVE-2023-34330 (CVSS score: 6.7) – Code injection via dynamic Redfish extension interface
Chaining the two bugs together gives a total severity score of 10.0, allowing an attacker to bypass Redfish authentication and remotely execute arbitrary code on the BMC chip with highest privileges. Additionally, the aforementioned flaw combined with his CVE-2022-40258 could potentially crack the administrator account password on the BMC chip.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
It’s worth pointing out that this kind of attack can lead to the installation of malware that can be used for long-term cyber espionage while staying under the radar of security software. It’s possible to perform horizontal moves and even destroy CPUs with power. Managed tampering techniques such as PMFault.
“These vulnerabilities pose significant risks to the technology supply chain underlying cloud computing,” the researchers said. “In short, a component supplier vulnerability could affect many hardware vendors, which in turn could spill over into many cloud services.”
“Thus, these vulnerabilities can pose risks not only to the servers and hardware owned directly by the organization, but also to the hardware supporting the cloud services used by the organization.”
