Flaws in MegaRAC baseband management firmware impact many server brands

Researchers have found three vulnerabilities in AMI MegaRAC, a baseband management controller (BMC) firmware used by multiple server manufacturers. If exploited, the flaws could allow attackers to remotely control servers, deploy malware and firmware implants, or trigger damaging actions that leave them inoperable.

BMCs are microcontrollers present on server motherboards that have their own firmware, dedicated memory, power, and network ports and are used for out-of-band management of servers when their main operating systems are shut down. They are essentially small independent computers running inside bigger computers that allow administrators to remotely perform a variety of maintenance and diagnostic tasks including reinstalling operating systems, restarting servers when they’re unresponsive, deploying firmware updates and more.

These “lights out” management capabilities are critical for IT administrators, especially when dealing with private cloud infrastructures in remote data centers, but they can become a huge security risk if they’re left unprotected and reachable by potential attackers. Unfortunately, over the years, researchers have found vulnerabilities in BMC implementations from multiple server vendors and some of the flaws have even been adopted by sophisticated threat actors.

In 2019, researchers from security company Eclypsium found a serious vulnerability in the BMC used by Supermicro servers. At the time, over 47,000 Supermicro BMC interfaces were exposed to the internet. Earlier this year, an Iranian security firm reported a malicious implant dubbed iLOBleed being deployed on Hewlett Packard Enterprise (HPE) Gen8 and Gen9 through known vulnerabilities in HPE iLO (HPE’s Integrated Lights-Out) BMC. A scan showed that 7,799 HPE iLO interfaces were exposed to the internet at the time.

Arbitrary code execution and default admin credentials in AMI MegaRAC

MegaRAC is a BMC software implementation developed by American Megatrends (AMI), which is also one of the largest providers of UEFI/BIOS firmware for computers. Manufacturers known to have used MegaRAC BMC in at least some of their products include AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.

The flaws, found by researchers from Eclypsium, are exploitable through Redfish, a standardized RESTful API that can be used to manage servers, storage, networking, and other infrastructure and is implemented by the MegaRAC BMC software – as well as the BMC of many other server vendors.

The Eclypsium researchers investigated the MegaRAC implementation of the Redfish API and found a URL where the attacker can pass crafted requests that would get executed as the sysadmin (UID = 0) user and open a reverse shell to a domain provided by the attackers. This would give them full control over the BMC firmware with the highest privileges, but one limitation is that the attackers need to have a minimum level of access on the device (callback or up) to send the request. This vulnerability is rated critical with a score of 9.9 on the CVSS scale and is tracked as CVE-2022-40259.

The second vulnerability, tracked as CVE-2022-40242 and rated as 8.3 (High) severity, involves hard-coded credentials for the UID = 0 user. The researchers found the hash for the password in the /etc/shadow file on the file system and were able to crack the hash. Attackers could use this default password, if left unchanged, to access the BMC software over SSH, if SSH is enabled.

“The password looked like a default, and we managed to find back references to it going as far back as 2014 by other people,” the researchers said. “Finding them is left as an exercise to the reader.”

The third issue, also rated as high severity (7.5), is tracked as CVE-2022-2827 and allows attackers to perform username enumeration through the Redfish API. When attempting to perform a password reset for a user, the API responds in a way that reveals whether the user exists. This enables attackers to attempt password resets for common or possible usernames and determine if they exist in the system and then potentially try to brute-force their passwords.

“MegaRAC BMC firmware is one of the common threads that connects much of the hardware that underlies the cloud,” the Eclypsium researchers said. “As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, in order to abstract computing from the hardware, it is critical that the physical servers within a data center are interchangeable. To this end, cloud providers standardize on server components, hardware configurations, firmware and operating system versions, and hypervisor software. So, if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk.”

Mitigations for the MegaRAC BMC vulnerabilities

BMC management interfaces such as Redfish and IPMI should never be exposed directly to the internet, and Eclypsium’s scans suggest that in this case public exposure is relatively low. However, these vulnerabilities can also be exploited if an attacker gains access to an internal network, so BMC interfaces should only be available on dedicated management network segments and access to them should be further restricted using ACLs or firewalls.

Server owners should also review the default configurations on their BMCs and disable default accounts or change default passwords. The BMC firmware should be the subject of regular vulnerability assessment and regular patching. These firmware components should also be constantly monitored for indicators of compromise or modifications, especially since a malicious firmware implant can potentially block updates and lie about the firmware version. This is something the iLOBleed implant was designed to do. When commissioning a new server, it’s critical to make sure that it’s running the latest firmware version and has all the known vulnerabilities patched.

“As attackers shift their focus from user facing operating systems to the lower-level embedded code which hardware relies on, compromise becomes harder to detect and exponentially more complex to remediate,” the Eclypsium researchers said. “While compromise of a server OS can be resolved with a wipe and reinstallation, firmware compromise has the potential to remain beyond reinstallation and even more drastic measures like hard drive replacement.”