“These new vulnerabilities range in severity from high to severe, including unauthenticated remote code execution and unauthorized device access with superuser permissions”.
“They can be exploited by remote attackers with access to the Redfish Remote Management Interface or from a compromised host operating system.”
To make matters worse, the loophole can also be weaponized to drop persistent firmware implants that are resistant to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce an indefinite reboot loop.
“As attackers shift their focus from user-facing operating systems to the lower-level embedded code on which hardware and computing rely, it becomes more difficult to compromise and remedy,” the researchers explained. becomes increasingly more complex.”
The vulnerabilities are the latest addition to a set of bugs affecting the AMI MegaRAC BMC collectively named BMC&C, some of which were disclosed by the firmware security company in December 2022 (CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827) and February 2023 (CVE-2022-26872 and CVE-2022-40258).
The list of new flaws is as follows-
- CVE-2023-34329 (CVSS Score: 9.9) – Authentication bypass via HTTP header spoofing
- CVE-2023-34330 (CVSS Score: 6.7) – Code Injection via Dynamic Redfish Extension Interface
When chained together, both bugs lead to a combined severity score of 10.0, allowing an adversary to bypass Redfish authentication and remotely execute arbitrary code on a BMC chip with the highest privileges. In addition, the above flaws can be combined with CVE-2022-40258 to crack the password for administrator accounts on the BMC chip.
It’s worth pointing out that an attack of this nature could result in the installation of malware that could be used to perform long-term cyber espionage while flying under the radar of security software, not to mention performing lateral movement. And even the CPU can be harmed by power management tampering techniques like PMFault.
“These vulnerabilities pose a major threat to the technology supply chain underpinning cloud computing,” the researchers said. “In essence, vulnerabilities of one component supplier affect multiple hardware vendors, which in turn can be passed on to multiple cloud services.”
“These vulnerabilities can therefore pose a threat to servers and hardware that are directly owned by an organization as well as the hardware that supports the cloud services they use.”