The National Cyber Security Centre SK-CERT warns of two vulnerabilities in the MegaRAC Baseboard Management Controller (BMC) that enable bypassing authentication and injecting arbitrary code. Regarding the nature of the vulnerable systems, physical damage to vulnerable servers is also possible.
The MegaRAC Baseboard Management Controller is a component that is used for server management, independent of the operating system. This component is enabled even when the main operating system is not running. This component is included in servers of several brands. According to available sources, these include Dell EMC, Gigabyte, Nvidia, Qualcomm, HP Enterprise, Huawei, Ampere Computing, ASRock, AMD, and so on.
The vulnerabilities are found in the MegaRAC BMC firmware and are tracked as CVE-2023-34329 and CVE-2023-34330.
The vulnerability CVE-2023-34329 enables bypassing authentication via HTTP Header Spoofing and obtaining the highest privileges on the device. The vulnerability has a CVSS value of 9.1.
The vulnerability CVE-2023-34330 enables the execution of arbitrary code via Dynamic Redfish Extension interface. The vulnerability has a CVSS value of 8.2.
The impact of exploiting these vulnerabilities includes, in particular, remote control of compromised devices, obtaining sensitive information, reconfiguring or modifying the BIOS, remote code execution, physical damage to affected devices, or indefinite reboot loops of the device that cannot be interrupted.
The vulnerability is not easy to fix as each manufacturer releases device firmware updates. Since this is an update of the firmware and not of the operating system, such type of the update is not always part of the regular update process in organizations.
Regarding the both vulnerabilities, the National Cyber Security Centre SK-CERT recommends:
- ensure that all interfaces used for remote server management and all BMC subsystems are in a separate management network and cannot be accessed from the Internet;
- update the server firmware. After the firmware update, some devices must be physically disconnected from the power supply and afterwards reconnected;
- also make sure that BMC interfaces are only accessible to administrators with appropriate privileges. Use strong and unique passwords for each account. Set access accounts and rights as defined in your access control policies;
- check and verify devices that have remote system management capabilities, whether they contain original configurations, default accounts and passwords, and so on;
- perform regular software updates. For devices that are critical, do not wait for the regular update window and update them as soon as a manufacturer’s update is available.
« Späť na zoznam