Two new flaws in AMI MegaRAC
Eclypsium researchers discovered and disclosed two new vulnerabilities in MegaRAC, a BMC firmware implementation developed by American Megatrends (AMI), the world’s largest provider of BIOS/UEFI and BMC firmware. Server producers that used AMI MegaRAC in a few of their merchandise over time embrace merchandise embrace AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.
This isn’t the primary time Eclypsium discovered BMC vulnerabilities. In December 2022 the corporate disclosed 5 different vulnerabilities it recognized in AMI MegaRAC, a few of which allowed for arbitrary code execution through the Redfish API or offered SSH entry to privileged accounts attributable to hardcoded passwords.
The 2 new vulnerabilities are additionally positioned within the Redfish administration interface. Redfish is a standardized interface for out-of-band administration that has been developed to exchange the older IPMI.
One of many flaws, tracked as CVE-2023-34329 permits for attackers to bypass authentication by spoofing the HTTP request headers. MegaRAC’s Redfish implementation permits two modes of authentication: Fundamental Auth, which must be named within the BIOS, and No Auth which is supposed to supply entry with out authentication if the requests are coming from the inner IP tackle or the USB0 community interface.
The researchers found that it’s potential to spoof the HTTP request headers to trick the BMC to imagine that exterior communication is coming from the inner USB0 interface. If No Auth is enabled by default, this offers attackers the flexibility to carry out privileged administrative actions by means of the Redfish API together with creating new customers.
This vulnerability is rated crucial with a 9.1 CVSS rating and is severe by itself. When mixed with the second flaw, CVE-2023-34330, it’s much more harmful. That’s as a result of the CVE-2023-34330 flaw stems from a characteristic that’s enabled by default for requests coming from the Host Interface: the flexibility to ship POST requests that embrace precise code to be executed on the BMC chip with root privileges.
