Eclypsium Research has reported three vulnerabilities, referring to them collectively as BMC&C, in the AMI MegaRAC Baseboard Management Controller (BMC). These vulnerabilities impact cloud services and 15 computing hardware manufacturers.
Titled Supply Chain Vulnerabilities Put Server Ecosystem At Risk, the report stated that BMC&C can allow cybercriminals to execute code remotely and perform username enumeration attacks.
Major computing hardware manufacturers linked to these vulnerabilities are AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan. The flaws also concern cloud service and data-storage providers.
“These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services,” the report stated. “As such, these vulnerabilities can pose a risk to an organization’s servers and hardware as well as the hardware that supports the cloud services that they use.”
Eclypsium researchers stumbled upon the vulnerabilities when they were digging after a leaked proprietary code. They’re still unaware of any active exploitation of the three vulnerabilities.
BMCs Allow Remote Code Access to Cybercriminals
The AMI MegaRAC BMC allows for ‘lights-out’ remote system management, enabling administrators to adjust servers remotely. Though convenient, the capability can be equally damaging if administrators don’t take necessary precautions.
That’s why the recently discovered security vulnerabilities in AMI BMCs are concerning, as cybercriminals equipped with remote management interfaces (RMI) can exploit them to bypass authentication and execute code remotely. In other words, cybercriminals with superuser permissions could gain total control of the servers.
You can find more information on the three security vulnerabilities in the following links:
- CVE-2022-40259 – Arbitrary Code Execution via Redfish API
- CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
- CVE-2022-2827 – User enumeration via API
Of the three, CVE-2022-40259 is the most critical vulnerability because it allows for arbitrary code execution through the Redfish API. It’ll also be cybercriminals’ first choice of attack as it’s remotely accessible. The CVE-2022-40259, however, requires prior access to a low privilege, while CVE-2022-40242 doesn’t have any access requirements.
Including remote control attacks, cybercriminals exploiting BMC&C can also execute remote malware deployment, remote ransomware deployment, remote firmware implants, and bricking — which renders servers unusable and unrecoverable.
How Cybercriminals Could Exploit the BMC Vulnerabilities
BMCs are special components allowing out-of-band management for servers. They’re like fully functional, self-contained computers within a given server and have their own power, firmware, networking stack, and memory.
These BMC capabilities allow administrators to control practically everything on servers. BMC admins can control low-level hardware settings, the host operating system, virtual hosts, applications, or data. This means any remote users with superuser access can carry the same privileges.
When successfully carried out, cyberattacks through these BMCs are especially stubborn to eliminate. After cybercriminals implant a code within the BMC firmware, it stays even after software reinstallation. Though the status may show as updated, it could be the code spoofing the system.
But the trouble with these vulnerabilities doesn’t end with individual servers — in fact, the entire server ecosystem is at risk. This is because AMI’s hardware also supports many cloud storage providers.
Top-Level Vulnerabilities Imperil Entire Server Ecosystem
Since AMI (formerly American MegaTrends) is a gigantic hardware component manufacturer supplying a number of other hardware distributors and cloud storage facilities, any AMI BMC flaw can spread to millions of systems.
Businesses that use cloud storage providers for data storage can be at risk if the providers are using AMI BMC. And that includes a vast majority of cloud service providers, data centers, and companies.
“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” stated the Eclypsium report. “Standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems.”
The BMC&C vulnerabilities go beyond company-specific and cloud-provider breaches, standing a level higher than network hacking and social engineering scams. These vulnerabilities exist in the provider’s hardware, and by extension can infect cloud storage providers and businesses using the provider’s services.
Adjusting the Network Architecture to Prevent Cloud Ecosystem Compromises
Though cybercriminals haven’t yet exploited BMC&C, it’s best that businesses adjust their network and cloud storage providers accordingly. In these cases, preventive cybersecurity measures are key. Though these measures never make headlines, they prevent security vulnerabilities.
For example, experts recommend network administrators use single-tenant over multi-tenant cloud architectures. Though expensive, single-tenant cloud architecture is far more secure than public or multi-tenant architectures. Moreover, single-tenant architectures offer industry-specific compliance as opposed to cloud storage compliance.
On the other hand, multi-tenant architectures are more at risk against the BMC&C and other similar security vulnerabilities. As these network architectures offer limited controls, even reliable networks may become compromised over time with new and less cautious clients entering the same server.
For smaller companies that have to use public cloud ecosystems, network monitoring and automation tools may provide sufficient protection. These tools allow for efficient networking, application and traffic optimization, and bandwidth management.
And as a better alternative to multi-tenant cloud providers in terms of cost and security, network administrators can explore hybrid-cloud infrastructures. These infrastructures store smaller datasets along with other files stored with third-party providers.
Addressing the AMI BMC Vulnerabilities
Realistically, businesses and companies can’t exert control or ownership over AMI hardware components and the wider cloud ecosystem. What they can control, however, is their networks’ quality and security — and that isn’t asking a lot for the damages that these measures can prevent.
To improve their network security, businesses must stay compliant, regularly patch and scan their networks, and stay vigilant. In dealing directly with the three AMI BMC vulnerabilities, the best option is to add steps to the remote authentication process. For example, consider enabling Two-Factor Authentication (2FA) by SMS or email for remote access to protect BMC access.
Regardless of any measures discussed, businesses must install the latest firmware updates across all their systems. Businesses disregarding the BMC vulnerabilities would be taking a huge risk with their servers. Even though no exploits have happened yet, malware and spyware could still be covertly operating in your systems.