There are three vulnerabilities in the MegaRAC baseboard management controller (BMC) firmware that is used in a huge number of data centers and cloud platforms that could present a serious, long-term threat to those environments as well as enterprises that run their own affected servers.
MegaRAC BMC is among the more widely used BMC firmwares on the market, and is used by a wide range of server manufacturers, including AMD, HP Enterprise, Lenovo, Dell EMC, and Huawei. BMCs are essentially a separate computer that sits on the server and is used to provide a management channel. It typically includes its own networking stack, firmware, and other components, and gives an administrator the ability to manage all aspects of the server’s functionality from a separate management interface. So an attacker who is able to gain privileged access to a server's BMC would be in a powerful position on the box.
The flaws in the MegaRAC BMC that researchers at Eclypsium discovered include a critical arbitrary code execution vulnerability (CVE-2022-40259) in the Redfish API in MegaRAC that is trivially exploitable and would give an attacker complete control of the BMC firmware. The attacker would only require remote access to the BMC interface, which ideally should not be exposed to the Internet, and at least some low-level privileges on the BMC. But if those conditions are present, then an attacker would have little trouble.
The long-term risk from these issues comes from the fact that MegaRAC is present in such a long list of servers and getting updated BMC firmware to all of those machines, especially in massive data centers.
“MegaRAC BMC firmware is one of the common threads that connects much of the hardware that underlies the cloud. As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, in order to abstract computing from the hardware, it is critical that the physical servers within a data center are interchangeable,” the Eclypsium blog post on the flaws says.
“To this end, cloud providers standardize on server components, hardware configurations, firmware & operating system versions, and hypervisor software. So if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk.”
Eclypsium researchers discovered the three vulnerabilities earlier this year after discovering some data from MegaRAC manufacturer American Megatrends Inc. online. After looking at the data, they realized it was legitimate and began looking for potential vulnerabilities. They eventually focused their attention on the Redfish API, which is a standard for the management of hybrid environments and data centers. The arbitrary code execution bug is the most serious of the three, and the Eclypsium researchers developed a working exploit for it.
“To find this issue, initially we reviewed for potentially dangerous calls such as command execution calls. We narrowed it down only to calls exposed to the user, and there was one sitting in the Redfish API implementation. The only complication is the attack sits in the path parameter, but it is not URL-decoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command,” the researchers said.
“Organizations with large server farms, data centers, and potentially cloud and hosting providers are particularly vulnerable for this kind of exploit."
The other two flaws are less serious but still could present problems. One is the presence of default user credentials (CVE-2022-40242), and the other is the ability to enumerate users through the API (CVE-2022-2827).
“The vulnerabilities can be exploited by any remote attacker having access to remote management interfaces (Redfish, IPMI). The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),” Nate Warfield, director of threat research and intelligence at Eclypsium, said.
“Organizations with large server farms, data centers, and potentially cloud and hosting providers are particularly vulnerable for this kind of exploit. Attack scenarios could be as simple as attackers using CVE-2022-40242 (default superuser credentials) to login to affected servers, or a more complex scenario could be using CVE-2022-2827 to find a user account, then use brute force attacks/credential stuffing to determine the password. From there, CVE-2022-40259 could be exploited as it only requires a user account with privilege level higher than ‘None’.”
Eclypsium reported the vulnerabilities to AMI and updates from server manufacturers likely will be forthcoming. Warfield said they are not aware of any evidence of attackers exploiting these flaws in the wild, and GreyNoise, which monitors the Internet for exploit traffic, said it has not seen any IP addresses attempting to exploit these flaws, either.