Two new flaws in AMI MegaRAC
Eclypsium researchers found and disclosed two new vulnerabilities in MegaRAC, a BMC firmware implementation developed by American Megatrends (AMI), the world’s largest supplier of BIOS/UEFI and BMC firmware. Server manufacturers that used AMI MegaRAC in some of their products over time include products include AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.
This is not the first time Eclypsium found BMC vulnerabilities. In December 2022 the company disclosed five other vulnerabilities it identified in AMI MegaRAC, some of which allowed for arbitrary code execution via the Redfish API or provided SSH access to privileged accounts due to hardcoded passwords.
The two new vulnerabilities are also located in the Redfish management interface. Redfish is a standardized interface for out-of-band management that has been developed to replace the older IPMI.
One of the flaws, tracked as CVE-2023-34329 allows for attackers to bypass authentication by spoofing the HTTP request headers. MegaRAC’s Redfish implementation allows two modes of authentication: Basic Auth, which needs to be named in the BIOS, and No Auth which is meant to provide access without authentication if the requests are coming from the internal IP address or the USB0 network interface.
The researchers discovered that it’s possible to spoof the HTTP request headers to trick the BMC to believe that external communication is coming from the internal USB0 interface. If No Auth is enabled by default, this gives attackers the ability to perform privileged administrative actions through the Redfish API including creating new users.
This vulnerability is rated critical with a 9.1 CVSS score and is serious on its own. When combined with the second flaw, CVE-2023-34330, it’s even more dangerous. That’s because the CVE-2023-34330 flaw stems from a feature that is enabled by default for requests coming from the Host Interface: the ability to send POST requests that include actual code to be executed on the BMC chip with root privileges.