AMI BMC Firmware vulnerabilities

Updated on 2022-12-07: AMI BMC vulnerabilities

Eclypsium researchers have discovered three vulnerabilities in the firmware of AMI MegaRAC baseboard management controllers. Eclypsium says the three vulnerabilities can be exploited via the Redfish and IPMI ports for remote code execution that can grant attackers access to the superuser account on the BMC firmware. Baseboard management controllers are typically used to provide remote management of large computer fleets, and are commonly found in enterprise network setups. Eclypsium says that servers manufacturers known to use AMI MegaRAC BMCs for their products include the likes of AMD, Asus, Gigabyte, Inspur, and Qualcomm. The researchers named the vulnerabilities BMC&C. Read more: SUPPLY CHAIN VULNERABILITIES PUT SERVER ECOSYSTEM AT RISK

Updated on 2022-12-05: AMI MegaRAC Flaws Affect Servers from Multiple Manufacturers

Researchers from Eclypsium have detected three vulnerabilities in American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software. The flaws, which have severity ratings from medium to critical, could be exploited to achieve remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking). Mitigation recommendations include making sure “that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls.”

Note

• Part of the issue is “redfish”, the new API meant to replace IPMI. Redfish is based around “web standards” which apparently means that we now include standard web application vulnerabilities like OS command injection in BMC software. These days, applications are web applications. If it is a BMC, a mobile app or a word processor. You will only be able to defend your organization if you understand web applications.
• If you’re not already doing so, consider the BMC as equivalent to standing at the physical console of the system. The services enable your system administrators to do almost anything from wherever they are located. As such, you really need to restrict the access to only users and devices that need to access them. Never expose these directly to the Internet. Now it gets harder – you need to keep them updated, make sure that you’re only running the genuine/vetted versions, and monitor for anomalous behavior. Make sure that you have a non-production system to test updates, as you can effectively kneecap a system getting this wrong.

Read more in

• Supply Chain Vulnerabilities Put Server Ecosystem at Risk
• Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others
• New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

Overview: BMC Firmware Flaws

Researchers at Nozomi Networks have detected 13 vulnerabilities in baseboard management controller (BMC) firmware used in operational technology (OT) and Internet of Things (IoT) devices. These particular flaws “affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X.” The vulnerabilities could be exploited to achieve remote code execution (RCE) with root privileges.

Note

• The BMC firmware has low level access to system functions, operating below the OS level, so fixing this is important. Fortunately, Lanner has released updates which resolve the issues, but you may have to actively reach out to Lanner to get the update. In addition, make sure that you’re restricting access to the web interface to trusted devices and users. Make sure that remote access requires a VPN and ideally even a bastion host.

Read more in

• Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1
• Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks
• BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks