Critical Vulnerabilities in AMI MegaRAC Baseboard Management Controller (BMC) Firmware

Two critical vulnerabilities (CVE-2023-34329 and CVE-2023-34330) were recently discovered in AMI's MegaRAC BMC, a specialised service processor which allows administrators to control and manage servers remotely.

The vulnerabilities are:

CVE-2023-34329: Successful exploitation of this vulnerability could allow an attacker to bypass authentication via a spoofed HTTP header.

CVE-2023-34330: Successful exploitation of this vulnerability could allow an attacker to inject malicious code via the Dynamic Redfish Extension.

When both vulnerabilities are chained together, successful exploitation could allow an unauthenticated attacker to gain unauthorised access with superuser permissions and perform Remote Code Execution (RCE).

Administrators are advised to ensure that all remote server management interfaces such as Redfish and the respective BMC subsystems in their environments are not exposed externally. Administrators should also ensure that internal BMC interface access is only restricted to administrative users with robust Access Control Lists (ACL) in place. Additionally, administrators should review vendor default configurations of their device firmware to identify and disable built-in administrative accounts and establish unique administrative accounts as soon as possible.

More information is available here:

https://eclypsium.com/research/bmcc-lights-out-forever/

https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bugs-can-let-hackers-brick-vulnerable-servers/