Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New AMI BMC Flaws Allowing Takeover and Physical Damage Could Impact Millions of Devices

Two new serious vulnerabilities in AMI BMC, which is used by millions of devices, can allow attackers to take control of systems and cause physical damage.

Firmware and hardware security company Eclypsium has disclosed information on two new vulnerabilities found by its researchers in the American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software.

Eclypsium disclosed other flaws discovered as part of the same research project in December 2022. The analysis focused on information leaked as a result of a ransomware attack launched in 2021 against motherboard maker Gigabyte, a supply chain partner of AMI. The vulnerabilities discovered by the cybersecurity firm in the AMI BMC are collectively tracked as BMC&C.

The BMC software enables administrators to remotely monitor and control a device, without the need to go through the operating system or applications running on it. It can be used to update firmware, install operating systems, and analyze logs. While these features make BMC very useful, they can also make it a tempting target for threat actors.

The BMC made by AMI is present in millions of devices worldwide as it’s used in the products of major companies such as Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

The new vulnerabilities disclosed by Eclypsium on Thursday are CVE-2023-34329, a critical authentication bypass issue that can be exploited by spoofing HTTP headers, and CVE-2023-34330, a code injection flaw. 

“When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it,” Eclypsium explained. 

Similar to the previously disclosed vulnerabilities, these new flaws can pose a significant risk to organizations. An attacker who has gained access to the targeted server’s BMC can conduct a wide range of activities, and the impact can be significant, particularly in the case of data centers and cloud environments.

In one theoretical scenario described by Eclypsium, an attacker leverages existing BMC functionality to create a continuous shutdown loop on the host and prevent legitimate users from accessing it. These types of attacks are difficult to detect and address, and researchers warn that the method could be used to extort a targeted organization. 

Advertisement. Scroll to continue reading.

“When this happens to a small number of machines, the impact may be limited in scale, however should the same vulnerabilities be exploited across an entire BMC management segment and affect hundreds or thousands of devices at once, the impact can be catastrophic to operations, and result in indefinite downtime with no ability to recover,” the security firm said.

Access to the BMC also allows an attacker to stealthily access KVM (keyboard/video/mouse) functionality, enabling them not only to closely monitor legitimate users but also conduct activities on their behalf using KVM inputs.

A hacker can also cause physical destruction through power management tampering, by changing CPU voltages and permanently bricking them.

BMC access can also be used for lateral movement, including to other BMCs, network devices, and even to Active Directory.  

While these vulnerabilities could pose a significant risk to millions of systems, Eclypsium is currently not aware of in-the-wild exploitation. Proof-of-concept (PoC) exploits have not been made public, but sophisticated threat actors could find the flaws on their own by looking at the same leaked information that the security firm analyzed. 

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.