A newly discovered vulnerability in AMI MegaRAC BMC allows attackers to remotely take over servers even when they are disabled. The bug was discovered using publicly available source codes.

Security company Eclypsium shares new and dangerous vulnerabilities in American Megatrends MegaRAC Baseboard Management Controller (AMI MegaRAC BMC) that allow attackers to infect servers at scale. MegaRAC BMC is a component used by server manufacturers and worldwide for what is known as “lights-out” management. The component allows administrators to manage servers even when they are powered off.

gigabyte leak

Two years ago, server manufacturer Gigabyte was hit by a ransomware attack. Criminals then stole 112 GB of data, including the source code for the MegaRAC BMC firmware. Eclypsium researchers got to work with this code and discovered five vulnerabilities. These vulnerabilities allow hackers to take control of servers, spy on devices, or simply break them. Even physical damage by manipulating the voltages is possible.

Additionally, if attackers gain access to a management system, they can send the same command to any server running the BMC. For example, attacks can do a lot of damage. Eclipsium has informed AMI about the vulnerabilities. The company has since released a patch for the firmware. Unfortunately, firmware updates are traditionally not rolled out so smoothly, so the risk of misuse remains in many cases.

Available Source Code

According to Eclypsium, two vulnerabilities are important:

• CVE-2023-34329 allows bypassing authentication via HTTP header spoofing.
• CVE-2023-34330 allows hackers to inject code through the Dynamic Redfish Extension interface

The security researchers point out that the leak at Gigabyte gave attackers access to the same code and they may have already discovered the attack vector themselves. So patching is very important. Eclypsium further emphasizes that AMI staff were very responsive and cooperative after discovering the vulnerabilities. There is currently no evidence of exploitation of the beetles in the wild.

In order to exploit the attack, hackers must somehow gain access to a management interface. The fact that such control networks are not disclosed externally can already mitigate a large part of the risk. In addition, updating is and will remain important, especially for a component as critical as a BMC.