Researchers found a critical vulnerability in the AMI MegaRAC baseband management controller (BMC) used by multiple server manufacturers. The vulnerability could allow attackers to bypass authentication and take control of vulnerable servers over the Redfish management interface.
“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop,” researchers from firmware security company Eclypsium stated in their report.
This is the 8th vulnerability that Eclypsium researchers found in MegaRAC, the BMC firmware implementation from UEFI/BIOS vendor American Megatrends (AMI). BMCs are microcontrollers present on server motherboards that have their own firmware, dedicated memory, power, and network ports and are used for out-of-band management of servers when their main operating systems are shut down.
Administrators can access BMCs remotely through the Intelligent Platform Management Interface (IPMI) or Redfish, a standardized RESTful API, to perform maintenance and diagnostic tasks including reinstalling operating systems, restarting servers, deploying firmware updates and more.
Flaw discovered while analyzing previous patch
The Eclypsium researchers stumbled across the new vulnerability, now tracked as CVE-2024-54085, while analyzing AMI’s patch for a similar authentication bypass issue they reported back in 2023, tracked as CVE-2023-34329. Both vulnerabilities are located in the Redfish API implementation and can be exploited by modifying HTTP request headers.
The new issue affects versions of MegaRAC SP-X as old as 2024-08-27 and the researchers confirmed it on multiple versions of HPE Cray XD670, a server for large language model training and natural language processing, Asus RS720A-E11-RS24U servers and an unspecified flash storage server from ASRockRack. MegaRAC SP-X is used by many server manufacturers and products from over a dozen vendors are likely affected.
The vulnerability is located in the host-interface-support-module.lua script of the Redfish interface, particularly in the way in which “X-Server-Addr” and “Host” header values are validated inside requests. The lighttpd web server will always add an X-Server-Addr value with the IP address of the Redfish instance, however a string check is performed on this value in the code using a regular expression that extracts everything before the first ‘:’ character. The extracted value is then compared to values from the database such as IP addresses.
The researchers realized that if they add 169.254.0.17: in the beginning of this header value in the request, the IP address 169.254.0.17 will be extracted and since it’s present in the Redfish database, authentication will be skipped. In some non-default configurations, additional IP addresses might be present in the database, for example 192.168.31.2, and these could also be used as values to bypass authentication.
In a proof-of-concept exploit against HPE Cray XD670 version 1.17, the researchers used the authentication bypass to access the Redfish account creation API and create a new user with administrator privileges. This user would then have access to all BMC features remotely.
Risks to BMCs are serious and overlooked
The researchers used the Shodan search engine and found over 1,000 internet-exposed MegaRAC SP-X Redfish instances that could be potentially vulnerable. However, this vulnerability can also be exploited through local networks without Redfish being exposed to the internet.
Due to the privileged position that BMC have over the host operating system, attackers could exploit such flaws to deploy highly persistent rootkits and malware implants for long-term cyberespionage, by reinfecting the OS even after it’s been completely wiped and restored. BMCs even provide admins with the ability to remotely send keyboard events to the OS as if they were physically at the machine and these actions would be impossible to block by endpoint protection solutions.
BMCs could also be leveraged in ransomware-like scenarios with servers being disrupted in a way that’s very hard to recover from.
“In disruptive or destructive attacks, attackers can leverage the often heterogeneous environments in data centers to potentially send malicious commands to every other BMC on the same management segment, forcing all devices to continually reboot in a way that victim operators cannot stop,” the Eclypsium researchers said. “In extreme scenarios, the net impact could be indefinite, unrecoverable downtime until and unless devices are re-provisioned.”
BMC vulnerabilities and misconfigurations, including hardcoded credentials, have been of interest for attackers for over a decade. In 2022, security researchers found a malicious implant dubbed iLOBleed that was likely developed by an APT group and was being deployed through vulnerabilities in HPE iLO (HPE’s Integrated Lights-Out) BMC. In 2018, a ransomware group called JungleSec used default credentials for IPMI interfaces to compromise Linux servers. And back in 2016, Intel’s Active Management Technology (AMT) Serial-over-LAN (SOL) feature which is part of Intel’s Management Engine (Intel ME), was exploited by an APT group as a covert communication channel to transfer files.
OEM, server manufacturers in control of patching
AMI released an advisory and patches to its OEM partners, but affected users must wait for their server manufacturers to integrate them and release firmware updates. In addition to this vulnerability, AMI also patched a flaw tracked as CVE-2024-54084 that may lead to arbitrary code execution in its AptioV UEFI implementation. HPE and Lenovo have already released updates for their products that integrate AMI’s patch for CVE-2024-54085.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have previously issued guidance on hardening BMC interfaces.
Eclypsium advises companies to never expose Redfish, IPMI or any BMC subsystems directly through the internet. BMCs should only be accessible through network segments dedicated to management and administrative access should additionally be restricted via firewalls and access control lists.
New equipment should always have its firmware updated before use and be inspected for known vulnerabilities and potential supply chain implants. The firmware should be kept up to date on an ongoing basis, which might require scheduled downtimes and reboots. BMC firmware logs should also be monitored for unexpected behavior and new account creation.