Nearly two months after three security vulnerabilities were revealed in AMI MegaRAC Baseboard Management Controller software, two more supply chain security flaws have been uncovered. Firmware security firm Eclypsium held back the two shortcomings until now to give AMI extra time to develop appropriate mitigations. The issues, collectively tracked as BMC&C, could be used as a launching pad for cyber attacks, allowing malicious actors to gain remote code execution and unauthorized device access with superuser permissions. Specifically, MegaRAC has been found to use the MD5 hashing algorithm with a global salt for older devices, or SHA-512 with per user salts on newer appliances, potentially allowing a threat actor to crack the passwords. CVE-2022-26872, on the other hand, takes advantage of an HTTP API to trick a user into initiating a password reset by means of a social engineering attack, and set a password of the adversarys choice. These two vulnerabilities join three others that were disclosed in December, including CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827. It is important to note that the weaknesses are only exploitable in scenarios where the BMCs are exposed to the internet or in cases where the threat actor has already gained initial access into a data center or administrative network by other methods. The extent of BMC&C is currently unknown, but Eclypsium is working with AMI and other parties to determine the scope of impacted products and services. Gigabyte, Hewlett Packard Enterprise, Intel, and Lenovo have all released updates to address the security defects in their devices. The consequences of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage, Eclypsium noted.
This Cyber News was published on thehackernews.com. Publication date: Wed, 01 Feb 2023 05:40:03 +0000