Vulnerabilities in "lights out" server management firmware

A number of high-profile server vendors inherit vulnerabilities in baseboard management controllers from American Megatrends (AMI).

The vulnerabilities affect machines with AMI BMCs that embed the company’s MegaRAC software.

The bugs were discovered by Eclypsium and are detailed here.

“MegaRAC BMC is widely used by many leading server manufacturers to provide ‘lights-out’ management capabilities for their server products," Eclypsium notes.

The chips are used by AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta and Tyan.

The company said it began investigating AMI’s BMCs in August after some of the company’s software was leaked.

Eclypsium said the vulnerabilities it found can be exploited by an attacker that gets access to the management interfaces, which expose remote management APIs to the network.

The most serious of the three bugs Eclypsium detailed is CVE-2022-40259, rated critical with a CVSS score of 9.9.

This bug provides arbitrary code execution via the Redfish remote management API (Redfish is the successor to IPMI, the Intelligent Platform Management Interface).

An API call provides arbitrary code execution, but requires the attacker to have “a minimum access level on the device (callback or up).

Two other vulnerabilities are rated as high.

CVE-2022-40242 (CVSS score 8.3) is a default credential for root, accessible via SSH; meanwhile CVE-2022-2827 (CVSS score 7.5) provides user enumeration via a password reset request.

One of the password reset parameters “can be manipulated in such a way that it is possible to determine whether the user exists or not, with no prior knowledge other than the username itself," the advisory explained. 

“The vulnerability also allows an attacker to test for the presence of user accounts by iterating through a list of possible account names.”

CVE-2022-40259 and CVE-2022-40242 provide access to the administrative shell, the post said, with no further escalation necessary.

AMI has detailed its response to the vulnerabilities in this blog post.