Research team has found three different vulnerabilities in the MegaRAC Baseboard Management Controller (BMC) software.
MegaRAC is a BMC software implementation developed by American Megatrends (AMI), which is also one of the largest providers of UEFI/BIOS firmware for computers. Manufacturers known to have used MegaRAC BMC in at least some of their products include AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.
CVE-2022-40259 (CVSS 9.5) – an arbitrary code execution vulnerability in the Redfish API implementation. A specially crafted exploit from an attacker with minimum access to the target device could trigger the flaw.
CVE-2022-40242 (CVSS 8.3) – Default credentials for UID = 0 shell via SSH. The researchers stated that they found “a hash in etc/shadow for the sysadmin user,” cracking, which made them reach the default credentials. Exploiting this vulnerability merely requires an attacker to have remote access to the target device.
CVE-2022-2827 (CVSS 7.5) – when resetting the password, one of the parameters could allow an adversary to discover various user accounts by querying possible usernames. It then allows the attacker to perform credential stuffing or brute force attacks against those accounts.
These vulnerabilities pose a serious risk because they could lead to supply chain attacks. Many server manufacturers, including NVidia, AMD, Asus, Huawei, Lenovo, Quanta, and Dell EMC, use MegaRAC BMC.
|AMI MegaRAC SPx12||0 – 6.00|
|AMI MegaRAC SPx13||0 – 4.00|
Mitigations for the MegaRAC BMC vulnerabilities
- Make sure critical firmware and remote server management subsystems (like MegaRAC, iDRAC, iLO, etc.) are covered in vulnerability assessments.
- Server owners should also review the default configurations on their BMCs and disable default accounts or change default passwords.
- Make sure the software is up-to-date and remove unnecessary remote access.