Two new flaws in AMI MegaRAC
Eclypsium researchers discovered and disclosed two new vulnerabilities in MegaRAC, a BMC firmware implementation developed by American Megatrends (AMI), the world’s largest provider of BIOS/UEFI and BMC firmware. Server producers that used AMI MegaRAC in a few of their merchandise over time embrace merchandise embrace AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.
This isn’t the primary time Eclypsium discovered BMC vulnerabilities. In December 2022 the corporate disclosed 5 different vulnerabilities it recognized in AMI MegaRAC, a few of which allowed for arbitrary code execution by way of the Redfish API or offered SSH entry to privileged accounts resulting from hardcoded passwords.
The 2 new vulnerabilities are additionally situated within the Redfish administration interface. Redfish is a standardized interface for out-of-band administration that has been developed to switch the older IPMI.
One of many flaws, tracked as CVE-2023-34329 permits for attackers to bypass authentication by spoofing the HTTP request headers. MegaRAC’s Redfish implementation permits two modes of authentication: Fundamental Auth, which must be named within the BIOS, and No Auth which is supposed to offer entry with out authentication if the requests are coming from the interior IP handle or the USB0 community interface.
The researchers found that it’s potential to spoof the HTTP request headers to trick the BMC to imagine that exterior communication is coming from the interior USB0 interface. If No Auth is enabled by default, this offers attackers the power to carry out privileged administrative actions by way of the Redfish API together with creating new customers.
This vulnerability is rated essential with a 9.1 CVSS rating and is critical by itself. When mixed with the second flaw, CVE-2023-34330, it’s much more harmful. That’s as a result of the CVE-2023-34330 flaw stems from a characteristic that’s enabled by default for requests coming from the Host Interface: the power to ship POST requests that embrace precise code to be executed on the BMC chip with root privileges.