A critical vulnerability affecting baseboard management controller (BMC) firmware made by AMI could expose many devices to remote attacks, according to firmware and hardware security company Eclypsium.
Eclypsium has been analyzing AMI BMC security for years. In the summer of 2023, the company disclosed two serious flaws, warning that they could expose millions of devices that use AMI’s MegaRAC BMC to takeover and physical damage.
The company’s researchers on Tuesday reported discovering a new flaw, tracked as CVE-2024-54085. The new vulnerability is similar to CVE-2023-34329, one of the 2023 vulnerabilities, which allows authentication bypass, but it’s unclear if CVE-2024-54085 is the result of an incomplete patch or an entirely new security hole — that is still being investigated.
The BMC enables administrators to remotely monitor and control devices, including to update firmware and install operating systems. BMC made by AMI is present in millions of devices worldwide, including ones made by Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, and Qualcomm.
According to Eclypsium, CVE-2024-54085 has been confirmed to impact servers made by HPE, Asus, Asrock and Lenovo. AMI, Lenovo and HPE appear to have published advisories to date to inform customers about patches and mitigations.
While AMI has made available patches, it’s now up to OEMs to push them out to their customers through updates.
The vulnerability impacts the Redfish management interface and its exploitation can lead to authentication bypass. It can be remotely exploited to control the targeted machine, deploy malware, tamper with the firmware, and even brick motherboard components, or cause physical damage by changing voltage settings.
“In disruptive or destructive attacks, attackers can leverage the often heterogeneous environments in data centers to potentially send malicious commands to every other BMC on the same management segment, forcing all devices to continually reboot in a way that victim operators cannot stop,” Eclypsium explained. “In extreme scenarios, the net impact could be indefinite, unrecoverable downtime until and unless devices are re-provisioned.”
A Shodan search conducted by the security firm revealed more than 1,000 internet-exposed MegaRAC instances that could be vulnerable to such attacks. However, a significantly higher number could be vulnerable to attacks conducted by local or network attackers.
Related: AMD Patches CPU Vulnerability That Could Break Confidential Computing Protections
Related: New SLAP and FLOP CPU Attacks Expose Data From Apple Computers, Phones
Related: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls
