Attackers can target vulnerabilities in American Megatrend Inc.’s Baseboard Management Controller (BMC) modules. (AMI) and using malicious code to attack servers in cloud data centers, for example.
Dangerous supply chain
Administrators can maintain servers remotely using a BMC management solution (keywords: out of range, lights). AMI Remote Maintenance is widespread and used by AMD, Asus, Dell, Nvidia, Qualcomm, and others.
According to a report by security researchers at Eclypsium, the three vulnerabilities (CVE-2022-40259)criticalCVE-2022-40242highCVE-2022-2827high”) in BMC firmware. As a result, all manufacturers are affected by vulnerabilities. In such a situation, one speaks of an attack on the supply chain.
Malicious code attacks are possible
If the attackers succeed in targeting the first vulnerabilities, they will have an admin shell at their disposal. Then they can, among other things, execute malicious code and compromise entire server regions. For this, attackers would just have to send prepared URLs to the Redfish remote management interface, for example. There was a similar case in early 2022, when a rootkit slipped through a hole in HPE’s remote maintenance iLO.
According to security researchers, it is not yet known if there have already been attacks in the current case. The researchers’ report does not specifically say whether there are already security patches for the vulnerabilities mentioned. Even if there are security patches, it’s difficult to install updates across the board because there are so many parties and products involved. A major problem with supply chain attacks.
Effectively secure
In their general safety guidelines, they advise administrators to, among other things, keep all servers up to date and not make BMC publicly accessible. If there is no other way, administrators must secure VPN or SSH access against unauthorized access with strong authentication. Security researchers say that after scanning they only discovered a relatively small number of BMCs that could be directly accessed online.
(From)
