The widely used server remote management system MegaRAC contains a critical flaw that hackers can exploit to bypass authentication and take full control of servers. Major brands like HPE, Asus, Lenovo, and ASRockRack are affected, and firmware updates are underway.
Attackers can attack vulnerable instances simply by manipulating network requests to gain full control of the server.
Eclypsium researchers have found the critical security flaw CVE-2024-54085, rated with a 10 out of 10 severity, in the AMI MegaRAC software. The software runs on a specialized chip embedded in the motherboard for remote management capabilities called the Baseboard Management Controller (BMC).
For administrators, this functionality allows them to remotely control computer systems independently of the operating system status.
Eclypsium has confirmed that the critical vulnerability is located at a junction of multiple internal components on several server models widely used by datacenters. However, the affected code, made by AMI, a major firmware provider, is used by many vendors.
“There are likely to be more affected devices and/or vendors,” the researchers said.
“Since AMI is at the top of the BIOS supply chain, the downstream impact affects over a dozen manufacturers.”
Search engines that scan internet-facing devices reveal at least 1000 exposed servers running vulnerable software versions. Researchers confirmed the flaw affects HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack servers.
How can the flaw be exploited?
For hackers, the exploit is not complex. Potential attackers can bypass authentication remotely through the Redfish Host Interface, which is an open industry standard for remote management of servers.
Attackers can easily scan the internet for vulnerable servers or use tools like Shodan. Then, they craft HTTP POST requests with tampered headers to pretend the request comes from a trusted server and a valid IP.
The vulnerable MegaRAC software will not validate these headers properly and skip the password checks, allowing the attacker to create a new administrative user.
“This completely exposes Web UI login and all remote BMC features,” Eclypsium said.
The attackers could then remotely deploy malware and ransomware, tamper with firmware, brick motherboard components, and, in extreme cases, cause physical damage to the hardware or indefinite reboot loops that can’t be stopped.
“In disruptive or destructive attacks, attackers can leverage the often heterogeneous environments in datacenters to potentially send malicious commands to every other BMC on the same management segment, forcing all devices to continually reboot in a way that victim operators cannot stop,” the security firm warns.
Therefore, even when servers are not exposed to the internet, the severity of the flaw is still 9.6 out of 10.
Known exploits haven’t yet been observed in the wild. AMI has released patches to vendors and they’ve also been incorporating the fixes and releasing advisories to customers.
“Note that patching these vulnerabilities is a non-trivial exercise, requiring device downtime,” Eclypsium said.
The researchers recommend admins that all remote server management interfaces are not exposed externally, and internal access is also restricted to administrative users using firewalls or access control lists.
“Perform regular software and firmware updates on servers. Ensure that all server firmware is regularly monitored for indicators of compromise or unauthorized modifications. Monitor logs for unexpected behavior such as new account creation, “ the report reads.
Also, beware that new equipment will be shipped with old firmware versions, requiring patching. All versions of MegaRac released before 2024-08-28 are vulnerable.
Your email address will not be published. Required fields are markedmarked