Remote-management chips in millions of machines have maximum severity vulnerabilities

Millions of machines may have maximum-severity vulnerabilities, courtesy of firmware flaws their owners might not even know are there.

Baseboard management controllers (BMCs) are small chips built into servers to ease remote monitoring and management—providing what Ars Technica reported is often referred to as “lights out” functionality. BMCs give IT teams the ability to measure metrics like temperatures and voltages, remotely mount media to the server, push firmware updates, and do many other privileged tasks away from the server.

Because of the possibility hackers could obtain superuser privileges, BMC vulnerabilities are a serious cybersecurity threat. Eclypsium researchers analyzed AMI firmware that had originally been leaked in the 2021 attack on computer components manufacturer Gigabyte and found flaws that would allow an attacker in control of a local host operating system or an instance of remote management interface Redfish to wreak havoc on server farms.

The most severe flaw is an authentication bypass via HTTP header that's enabled by spoofing a hard-coded IP address in BMC software that authenticated administrative requests. The second exploit involved the same IP address spoofing tactic, and allows an attacker to inject code via an API intended for development purposes only but is enabled by default.

When combined, the flaws have a 10/10 severity score, according to Eclypsium. AMI distributed a patch for the issue in April, but whether or not all servers have been updated is unclear.

The bugs are so bad they could allow an attacker to physically fry servers by disabling thermal limits, Nate Warfield, director of threat research and intelligence at Eclypsium, told IT Brew. The company demonstrated the bug to AMI somewhat less dramatically by uploading a script that sent a server into endless shutdown loops.

“We could have loaded an implant on one system, and then it would just run and it could be sort of like a worm-type attack where it would go and scan its local subnets and say, ‘Are there any more of these BMCs out here,’” Warfield said. “When it finds them, it could then run the exploit, send the code to that one and then…it just goes and scans and keeps infecting everything else that it can.”

“It is definitely one of the worst things you can have go wrong,” Warfield added. “In this instance, the only mitigating factor is that it doesn’t appear that many people have exposed these things to the public internet.”

But defenders shouldn’t allow themselves to fall for a “false sense of security,” according to Warfield, because hackers are getting adept at lateral movement via supply-chain attacks. Servers might additionally be left unpatched on the assumption they’re inaccessible to the outside world, and standard security software can’t detect malware on a BMC.

Unfortunately, the BMC update needs to be manually installed on a per-machine basis, Warfield said. Since AMI distributes directly to OEM rather than end customers, the update needs to be distributed via the OEM vendor who sold the servers. As is common in supply-chain attacks, Warfield warned, organizations may not even know what kind or version of BMC software is running on their servers.

“When we’re talking about a software supply chain, the lead time for remediation is just exponentially larger than most vulnerabilities,” he added.