Ami Megarac Firmware Vulnerabilities Enable Remote Code Execution at BMC Chip Level

Researchers from Eclypsium have recently disclosed two vulnerabilities in BMC controllers (Baseboard Management Controller) used by various server manufacturers. These controllers, specifically American Megatrends (AMI) MEGARAC firmware, enable autonomous equipment management. The vulnerabilities allow an unauthenticated attacker to gain control of the BMC and execute their code at the firmware level. The attack can be performed by sending a specially crafted request to the control interface’s http interface, known as redfish. While BMC access is typically restricted to local or datacenter networks, there are cases where it remains open to the global network. Exploiting these vulnerabilities could result in equipment damage. Firmware updates, specifically ami megarac sp X_13.2 and SPX_12.4, have been released to address these issues. More information can be found here.

BMC controllers are specialized controllers installed in servers, providing a low-level interface for monitoring and managing server equipment. As the equipment in data centers is often standardized, compromising one system allows for immediate attacks on all the servers in the data center through the BMC. These vulnerabilities could also be utilized by attackers from guest systems targeting cloud providers or virtualized systems. Additional details can be found here.

If an attacker gains access to the BMC software environment, which operates independently of the server’s operating system, they can carry out various attack scenarios such as firmware replacement, physical equipment damage, remote system loading, manipulation of the remote access console, equipment damage through voltage manipulation, disruption of stable operation, and using the BMC environment as a launching point for attacks on other systems.

The identified vulnerabilities have been:

/Reports, release notes, official announcements.