September 23, 2023

Two new flaws in AMI MegaRAC

Eclypsium researchers discovered and disclosed two new vulnerabilities in MegaRAC, a BMC firmware implementation developed by American Megatrends (AMI), the world’s largest provider of BIOS/UEFI and BMC firmware. Server producers that used AMI MegaRAC in a few of their merchandise over time embody merchandise embody AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.

This isn’t the primary time Eclypsium discovered BMC vulnerabilities. In December 2022 the corporate disclosed 5 different vulnerabilities it recognized in AMI MegaRAC, a few of which allowed for arbitrary code execution by way of the Redfish API or offered SSH entry to privileged accounts as a result of hardcoded passwords.

The 2 new vulnerabilities are additionally situated within the Redfish administration interface. Redfish is a standardized interface for out-of-band administration that has been developed to exchange the older IPMI.

One of many flaws, tracked as CVE-2023-34329 permits for attackers to bypass authentication by spoofing the HTTP request headers. MegaRAC’s Redfish implementation permits two modes of authentication: Fundamental Auth, which must be named within the BIOS, and No Auth which is supposed to supply entry with out authentication if the requests are coming from the interior IP deal with or the USB0 community interface.

The researchers found that it’s potential to spoof the HTTP request headers to trick the BMC to imagine that exterior communication is coming from the interior USB0 interface. If No Auth is enabled by default, this offers attackers the flexibility to carry out privileged administrative actions by means of the Redfish API together with creating new customers.

This vulnerability is rated vital with a 9.1 CVSS rating and is severe by itself. When mixed with the second flaw, CVE-2023-34330, it’s much more harmful. That’s as a result of the CVE-2023-34330 flaw stems from a function that’s enabled by default for requests coming from the Host Interface: the flexibility to ship POST requests that embody precise code to be executed on the BMC chip with root privileges.