Three vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software impact server equipment used in many cloud service and data center providers.
The flaws were discovered by Eclypsium in August 2022 and could enable attackers, under certain conditions, to execute code, bypass authentication, and perform user enumeration.
The researchers discovered the flaws after examining leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware.
MegaRAC BMC is a solution for complete “out-of-band” and “lights-out” remote system management, allowing admins to troubleshoot servers remotely as if standing in front of the device.
MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.
The three vulnerabilities discovered by Eclypsium and reported to American Megatrends and impacted vendors are the following:
- CVE-2022-40259: Arbitrary code execution flaw via Redfish API due to improper exposure of commands to the user. (CVSS v3.1 score: 9.9 “critical”)
- CVE-2022-40242: Default credentials for sysadmin user, allowing attackers to establish administrative shell. (CVSS v3.1 score: 8.3 “high”)
- CVE-2022-2827: Request manipulation flaw allowing an attacker to enumerate usernames and determine if an account exists. (CVSS v3.1 score: 7.5 “high”)
The most severe of the three flaws, CVE-2022-40259, requires prior access to at least a low-privileged account to perform the API callback.
“The only complication is the attack sits in the path parameter, but it is not URLdecoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command,” says Eclypisum.
For the exploitation of CVE-2022-40242, the only prerequisite for the attacker is to have remote access to the device.
The first two flaws are very severe due to giving attackers access to an administrative shell without requiring further escalation.
The vulnerabilities could cause data manipulation, data breaches, service outage, business interruption, and more if successfully leveraged.
The third flaw doesn’t have a significant direct security impact, as knowing what accounts exist on the target isn’t enough to cause any damage.
However, it would open the way to brute-forcing passwords or performing credential-stuffing attacks.
“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” comments Eclypsium in the report.
“Standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems.”
System admins are recommended to disable remote administration options and add remote authentication steps where possible.
Additionally, admins should minimize the external exposure of server management interfaces like Redfish and ensure that the latest available firmware updates are installed on all systems.