A series of vulnerabilities in AMI MegaRAC can render servers unusable

Hace poco investigadores de Eclypsium, dieron a conocer mediante una publicación de blog, que han identificado una serie de vulnerabilidades en los controladores BMC equipados con el firmware MegaRAC de American Megatrends (AMI), que utilizan muchos fabricantes de servidores para organizar el control autónomo de los equipos.

Para quienes desconocen de un BMC, deben saber que este es un controlador especializado instalado en servidores que tiene sus propias interfaces de sondeo de CPU, memoria, almacenamiento y sensores, lo que proporciona una interfaz de bajo nivel para monitorear y controlar el hardware del servidor.

Dado que el equipo instalado en los centros de datos suele estar unificado, se puede realizar un ataque a través del BMC inmediatamente en todos los servidores del centro de datos después de que uno de los sistemas se vea comprometido. Las vulnerabilidades también se pueden utilizar para atacar a proveedores de la nube o sistemas de virtualización desde sistemas invitados.

Eclypsium researchers recently disclosed in a blog post that they have identified a number of vulnerabilities in BMC controllers equipped with the American Megatrends (AMI) MegaRAC firmware, which are used by many server manufacturers to orchestrate autonomous control of the teams.

For those unfamiliar with a BMC, this is a specialized controller installed in servers that has its own CPU, memory, storage, and sensor polling interfaces, providing a low-level interface for monitoring and controlling server hardware. .

Since the equipment installed in data centers is often unified, an attack through the BMC can be carried out immediately on all servers in the data center after one of the systems is compromised. The vulnerabilities can also be used to attack cloud providers or virtualization systems from guest systems.

Regarding the vulnerabilities, it is mentioned that they allow an unauthenticated attacker to gain access to the BMC control environment and execute its firmware-level code by sending a specially crafted request to the HTTP port of the Redfish control interface.

The problem with this is that as a rule, access to the BMC is opened only for the local network or the data center network, but it happens that it is not closed for access from the global network either. Exploitation of vulnerabilities in the BMC can also be done by accessing the local operating system to damage the computer.

It is mentioned that gaining attacker access to the BMC software environment, which works independently of the operating system running on the server, makes it possible to implement attack scenarios such as replacing firmware, remotely booting your system via the network, tampering with the remote access console (for example, monitoring administrator actions on the system and input substitution), equipment failure (for example, increasing the voltage supplied to the processor or "crashing" the firmware), interruption of stable operation (initiation reboots and power outages), using the BMC environment as a springboard for attacks on other systems.

Regarding the vulnerabilities identified, it is mentioned that the most critical are:

 CVE-2023-34329 This is an authentication bypass vulnerability when passing modified HTTP headers when sending a request to the Redfish web interface. The gist of the vulnerability is that Redfish supports two authentication modes: "Basic Auth" when accessing from the outside and "No Auth" when accessing from the internal interface IP addresses or the USB0 interface. In firmware with "No Auth" mode enabled, an attacker can use this mode by changing the HTTP header when accessing the API from an external network. For example, an unauthenticated attacker could use the API to create a new account, and then use it to gain full access to the Redfish interface.
 CVE-2023-34330 is a code substitution vulnerability through the Dynamic Redfish Extension interface. The Redfish implementation of the AMI has a debugging feature for firmware developers that allows root code to run in the BMC environment by sending a special HTTP POST request. For some reason this debugging feature was not disabled in production firmware when running queries from the local system. Using the "No Auth" mode, an attacker on the local system can execute any code at the BNC chip level without passing authentication.
 In combination with the CVE-2023-34329 vulnerability, the issue allows a remote attacker, who can send network requests to the BMC management interface HTTP port, to simulate sending a request from the internal network interface and execute any code at the BMC firmware level.