Key Points
- Critical Vulnerability: A severe security flaw (CVE-2024-54085) in AMI’s MegaRAC BMC firmware affects many enterprise servers, allowing remote control and malware deployment.
- Slow Patch Rollout: Although AMI released a fix on March 11, OEMs like Lenovo and Asus have taken weeks to release patches for their servers.
- Broad Impact: The vulnerability affects numerous manufacturers, including HPE, AMD, and Nvidia, highlighting supply chain complexities in patching.
Servers at Risk: Slow Patches for Critical MegaRAC Flaw
A critical vulnerability in the MegaRAC baseband management controller (BMC) firmware, used in many enterprise servers and storage systems, is still not fully patched weeks after the initial fix was released. AMI, the BIOS developer, addressed the issue (CVE-2024-54085) on March 11, but the slow rollout of OEM patches is leaving servers vulnerable to exploitation.
What’s at Risk?
The BMC, an embedded chip, enables remote server management via the Redfish interface, even when servers are off or unresponsive. A successful exploit could allow attackers to bypass authentication, control servers remotely, deploy malware or ransomware, and cause destructive actions like reboot loops or bricked motherboards. This vulnerability has the highest severity score of 10, making it a significant threat.
Who’s Affected?
Numerous OEMs use AMI’s MegaRAC BMC, including:
- Hewlett Packard Enterprise (HPE), which released a patch for its Cray XD670 servers on March 20.
- Lenovo, which took until April 17 to release its patch.
- Asus, with updates for four motherboard models appearing this week, dated between March 12 and March 28.
- Other affected manufacturers: AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm.
- Dell confirmed its systems are unaffected, as they use Integrated Dell Remote Access Controller (iDRAC) instead.
Exploitation Concerns
Eclypsium, the company that discovered the vulnerability, warned that the flaw affects the entire BIOS supply chain, impacting over a dozen manufacturers. Although no exploitation has been detected yet, the slow patch rollout increases the risk of attacks. This vulnerability is just the latest in a series of MegaRAC flaws discovered by Eclypsium since 2022, highlighting concerns about the software’s security.
Mitigation and Concerns
The slow response to CVE-2024-54085 highlights two main issues:
- Supply Chain Complexity: Patching software involving multiple vendors is challenging, and not all servers from a single vendor use the same BMC.
- Recurring Vulnerabilities: Eclypsium has uncovered numerous MegaRAC flaws in recent years, including the latest one found while examining a previous fix.
To mitigate risks, organizations should:
- Ensure server management interfaces are not externally exposed.
- Regularly update and monitor firmware for signs of compromise.
- Patch new equipment and check for outdated firmware and supply chain implants.
As the tech industry continues to address this critical vulnerability, the focus remains on the need for swift and coordinated patching efforts to protect against potential attacks. Microsoft’s Azure and Windows Server customers relying on affected OEM hardware should monitor their vendors’ updates and apply patches promptly to safeguard their infrastructure. The situation underscores the importance of robust supply chain security and timely vulnerability management in the tech sector.
Read the rest: Source Link
Don’t forget to check our list of Cheap Windows VPS Hosting providers, How to get Windows Server 2022, Try Windows 11 Pro for Workstations & browse Windows Azure content.
Remember to like our facebook and follow us on twitter @WindowsMode.