These vulnerabilities pose a significant risk to the technology supply chain underlying cloud computing.
Recently Eclypsium researchers, released through a blog post, who have identifiedor a series of vulnerabilities in BMC drivers equipped with firmware American Megatrends MegaRAC (AMI), which is used by many server manufacturers to organize autonomous control of equipment.
For those unfamiliar with a BMC, this is a specialized controller installed in servers that has its own CPU, memory, storage, and sensor polling interfaces, providing a low-level interface for monitoring and controlling server hardware. .
Given that the equipment installed in data centers is usually unified, an attack can be performed through the BMC immediately across all servers in the data center after one of the systems is compromised. The vulnerabilities can also be used to attack cloud providers or virtualization systems from guest systems.
Regarding vulnerabilities, it is mentioned that These allow an unauthenticated attacker to gain access to the BMC control environment and run your code at the firmware level by sending a specially crafted request to the HTTP port of the Redfish control interface.
The problem with this is that as a general rule, access tol BMC opens only for the local network or the data center network, but it happens that it does not close for access from the global network either. Exploitation of vulnerabilities in the BMC can also be done by accessing the local operating system to damage the computer.
It is mentioned that gain attacker access to the BMC software environment, which works regardless of the operating system running on the server, makes it possible to implement attack scenarios such as replacing firmware, remote booting your system over the network, tampering with the remote access console (for example, monitoring administrator actions on the system and input substitution), equipment failure (for example, by increasing the voltage supplied to the processor or “crashing” the firmware), interruption of stable operation (initiation of reboots and power outages), using the BMC environment as a springboard for attacks on other systems.
Regarding the vulnerabilities identified, it is mentioned that the most critical are:
- CVE-2023-34329: this is one authentication bypass vulnerability by passing modified HTTP headers when sending a request to the Redfish web interface. The gist of the vulnerability is that Redfish supports two authentication modes: "Basic Auth" when accessing from the outside and "No Auth" when accessing from the internal interface IP addresses or the USB0 interface. In firmware with "No Auth" mode enabled, an attacker can use this mode by changing the HTTP header when accessing the API from an external network. For example, an unauthenticated attacker could use the API to create a new account, and then use it to gain full access to the Redfish interface.
- CVE-2023-34330: is a code substitution vulnerability through the Dynamic Redfish Extension interface. The AMI's Redfish implementation has a debugging feature for firmware developers who allows root code to run in the BMC environment by sending a special HTTP POST request. For some reason, this debugging feature was not disabled in production firmware when running queries from the local system. Using the "No Auth" mode, an attacker on the local system can execute any code at the BNC chip level without passing authentication.
- In combination with the CVE-2023-34329 vulnerability, the issue allows a remote attacker, who can send network requests to the BMC management interface HTTP port, to simulate sending a request from the internal network interface and execute any code at the BMC firmware level.
Finally it is worth mentioning that the problems were resolved in recent firmware updates. Naps interested in knowing more about it, you can check the details in the following link