Researchers have disclosed three different security vulnerabilities in American Megatrends Inc. (AMI) MegaRAC baseboard Management Controller (BMC) software, highlighting a risk to technology supply chains and major IT hardware brands that underpin cloud computing.

Eclypsium, a firmware and hardware security company, reported that the identified vulnerabilities, ranked in severity from Medium to Critical, can lead to remote code execution and unauthorized device access with superuser permission. Malicious hackers can exploit them by accessing remote management interfaces (IPMI), such as Redfish, to gain control over the systems and cause damage to cloud infrastructure.  

“In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services,” Vladislav Babkin, a security researcher at Eclypsium said in a report. “As such, these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services they use.”  

The list of server manufacturers known to use MegaRackBMC is a long one and includes major brands like AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta and Tyan. Eclypsium researchers said they believe there are likely additional, undiscovered brands that are similarly vulnerable.  

BMCs are specialized service processors designed to control hardware settings and monitor host systems remotely, even when the machines are turned off. Due to these capabilities, BMCs have become a fruitful target for threat actors looking to plant highly persistent malware that can survive reinstallation of the operating systems and a complete wipe of the hard drive.  

As for AMI MegaRAC BMC, Babkin noted that it is one of the common threats that connect most hardware underlying the cloud. Thus, if a vulnerable BMC is used in a data center environment, it is highly likely to affect hundreds or thousands of devices, Babkin added.  

The most severe among the vulnerabilities is CVE-2022-40259 (CVSS score:9.9), an arbitrary code execution via Redfish API that demands the attacker to already have a minimum level of access on the device.  

CVE-2022-40242(CVSS score:8.3) has a connection with a hash in /etc/shadow for the sysadmin user, and Eclypsium managed to crack it, while CVE-2022-2827 (CVSS score: 7.5) allows attackers to test for the presence of user accounts by iterating through a list of possible account names.  

Firmware supply chain issues have become increasingly complicated as hackers shift their focus from user facing operating systems to the lower-level embedded code that supports hardware.  

“While compromise of a server OS can be resolved with a wipe & reinstallation, firmware compromise has the potential to remain beyond reinstallation and even more drastic measures like hard drive replacement. Security research into this area is imperative to stay a step ahead of the attacks and protect the foundation upon which modern computing relies on,” Babkin said in the report.