Recently, American Megatrends International, a hardware and software company, identified two critical severity vulnerabilities in their MegaRAC Baseboard Management Controller software. The MegaRac BMC software is designed to offer administrators “out of band” and “lights out” remote system management capabilities. This functionality allows administrators to troubleshoot servers as if they were physically present in front of the devices, even when operating remotely. However, the discovered vulnerabilities pose significant risks and need immediate attention to prevent exploitation and unauthorized access to the managed systems.

“The two security flaws enable attackers to bypass authentication or inject malicious code via Redfish remote management interfaces exposed to remote access:

• CVE-2023-34329 - Authentication Bypass via HTTP Header Spoofing (9.9/10 CVSS 3.0 base score)
• CVE-2023-34330 - Code injection via Dynamic Redfish Extension interface (6.7/10 CVSS 3.0 base score)

By combining these vulnerabilities, a remote attacker with network access to the BMC management interface and lacking BMC credentials can gain remote code execution on servers running vulnerable firmware. This is accomplished by tricking the BMC into perceiving the HTTP request as originating from the internal interface. Consequently, the attacker can upload and execute arbitrary code remotely, potentially even from the Internet, if the interface is exposed online” (BleepingComputer, 2023).

Security Officer Comments:
Notably, in December 2022 and January 2023, researchers previously disclosed five other vulnerabilities affecting MegaRAC BMC (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258). These earlier vulnerabilities could potentially allow hijacking, bricking or remote infection of compromised servers with malware. The two latest vulnerabilities disclosed by Eclypsium researchers can be exploited in combination with the previously reported ones. Specifically, the weakness identified as CVE-2022-40258 involves vulnerable password hashes for Redfish & API, which could assist attackers in cracking the administrator passwords for the BMC chip’s admin accounts, making the attack process even easier. Although there is no current evidence of these vulnerabilities being exploited in the wild, Eclypsium warned that since threat actors have access to the same source data, the risk of weaponizing these vulnerabilities is considerably heightened.

Suggested Correction(s):

Ensure that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls per Zero Trust Architecture principles. U.S. Government agencies must adhere to CISA’s recent Binding Operational Directive 23-02, requiring:
• The BMC interface is removed from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
• The BMC interface is protected by capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).

Review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available Change default BMC credentials as soon as possible and establish unique user accounts for administrators. Perform regular software and firmware updates on critical servers. Consult vendor guides and recommendations for hardening BMCs against unauthorized access and supply-chain threats. Note that UEFI hardening configuration guidance may apply to many BMC settings, as there is direct access to the UEFI via the BMC. Ensure that vulnerability assessments and red team fixed scope engagements include remote server management subsystems (like MegaRAC, iDRAC, iLO, etc.) and critical firmware. Ensure that all critical firmware in servers is regularly monitored for indicators of compromise or unauthorized modifications.This includes monitoring for outbound traffic coming from any BMCs. Perform supply chain checks of new equipment. Assess that all new servers have major vulnerabilities patched and the latest firmware updates installed. Organizations should revisit threat modeling, table-topping, DFIR playbooks and DRP planning to incorporate IT supply chain threats and related impact scenarios, to include site-wide catastrophic scenarios especially in homogeneous environments. Monitor BMCs for changes in integrity. Some BMCs report integrity data to a root of trust (RoT) which can be a TPM, dedicated security chip or coprocessor, or a central processing unit (CPU) secure memory enclave. Monitor integrity features for unexpected changes and platform alerts. For Eclypsium customers, the platform will provide coverage of recently discovered vulnerabilities through a forthcoming functionality that will dynamically update scan results. This functionality will align to the CISA BMC guidance; in particular:“Use firmware scanning tools periodically. […] Establish a schedule to collect and inspect BMC firmware for integrity and unexpected changes. Include firmware audits in comprehensive anti-malware scanning tasks.” Never ignore a BMC, even if it has been disabled. Keep all BMCs updated and configured securely. Over time the device may be relocated or repurposed, and the BMC may be turned back on.

Link(s):
https://www.bleepingcomputer.com/>
https://eclypsium.com/research/bmcc-lights-out-forever/