Critical AMI BMC Firmware Vulnerability Exposes Devices to Remote Attacks
A critical security flaw in baseboard management controller (BMC) firmware developed by AMI could leave millions of devices vulnerable to remote cyberattacks, according to firmware and hardware security company Eclypsium.
Eclypsium has been analyzing AMI BMC security for years and previously disclosed two major vulnerabilities in 2023, warning that they could allow attackers to take control of affected devices or even cause physical damage.
On Tuesday, Eclypsium researchers reported discovering a new security flaw, tracked as CVE-2024-54085. This vulnerability is similar to CVE-2023-34329, a 2023 authentication bypass flaw, but it remains unclear whether it results from an incomplete patch or is an entirely new security weakness. Investigations are ongoing.
BMC firmware enables administrators to remotely monitor and control devices, including tasks like updating firmware and installing operating systems. AMI BMC technology is found in millions of devices worldwide, including products from Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, and Qualcomm.
So far, CVE-2024-54085 has been confirmed to impact servers made by HPE, Asus, Asrock, and Lenovo. Advisories from AMI, Lenovo, and HPE have been issued, informing customers about available patches and mitigation steps.
While AMI has released patches, it is now the responsibility of OEMs (original equipment manufacturers) to distribute the updates to their customers.
The flaw affects the Redfish management interface, which is commonly used for remote system management. If exploited, attackers could:
- Bypass authentication and take complete control of the targeted machine.
- Deploy malware and manipulate system firmware.
- Brick (disable) motherboard components or cause physical damage by altering voltage settings.
In severe cases, attackers could spread malicious commands across multiple BMCs within the same data center environment, forcing all affected devices into an endless reboot cycle. This could result in indefinite, unrecoverable downtime, requiring devices to be manually re-provisioned to restore functionality.
A Shodan search conducted by Eclypsium found over 1,000 internet-exposed MegaRAC BMC instances that could be directly vulnerable to attacks. However, the actual number of affected devices could be much higher, especially when considering threats from local or network-based attackers.
Organizations using AMI-based BMCs should immediately check for firmware updates from their device manufacturers and apply available patches. They should also limit exposure of their BMC interfaces to the internet and strengthen network security policies to prevent exploitation.
With BMC firmware playing a crucial role in remote system management, vulnerabilities like CVE-2024-54085 highlight the critical need for proactive security measures to protect against potential cyber threats.
