Two extra provide chain safety flaws have been disclosed in AMI MegaRAC Baseboard Administration Controller (BMC) software program, almost two months after three safety vulnerabilities had been dropped at gentle in the identical product.
Firmware safety agency Eclypsium mentioned the 2 shortcomings had been held again till now to supply AMI further time to engineer applicable mitigations.
The problems, collectively tracked as BMC&C, might act as springboard for cyber assaults, enabling menace actors to acquire distant code execution and unauthorized gadget entry with superuser permissions.
The 2 new flaws in query are as follows –
- CVE-2022-26872 (CVSS rating: 8.3) – Password reset interception through API
- CVE-2022-40258 (CVSS rating: 5.3) – Weak password hashes for Redfish and API
Particularly, MegaRAC has been discovered to make use of the MD5 hashing algorithm with a world salt for older units, or SHA-512 with per consumer salts on newer home equipment, probably permitting a menace actor to crack the passwords.
CVE-2022-26872, alternatively, leverages an HTTP API to dupe a consumer into initiating a password reset by way of a social engineering assault, and set a password of the adversary’s selection.
CVE-2022-26872 and CVE-2022-40258 add to 3 different vulnerabilities disclosed in December, together with CVE-2022-40259 (CVSS rating: 9.9), CVE-2022-40242 (CVSS rating: 8.3), and CVE-2022-2827 (CVSS rating: 7.5).
It is value mentioning that the weaknesses are exploitable solely in situations the place the BMCs are uncovered to the web or in instances the place the menace actor has already gained preliminary entry into an information middle or administrative community by different strategies.
The blast radius of BMC&C is at present unknown, however Eclypsium mentioned it is working with AMI and different events to find out the scope of impacted services.
Gigabyte, Hewlett Packard Enterprise, Intel, and Lenovo have all launched updates to handle the safety defects of their units. NVIDIA is anticipated to ship a repair in Could 2023.
“The influence of exploiting these vulnerabilities embody distant management of compromised servers, distant deployment of malware, ransomware and firmware implants, and server bodily harm (bricking),” Eclypsium famous.
