Two years ago, hackers targeted hardware-maker Gigabyte and exposed over 112 gigabytes of data, including information from important supply-chain partners such as Intel and AMD. Recent research warns that this leaked information may have uncovered critical zero-day vulnerabilities that could potentially threaten a significant portion of the computing world.
The vulnerabilities were found in the firmware developed by AMI, a company based in Duluth, Georgia, for baseboard management controllers (BMCs). BMCs are small computers soldered into servers’ motherboards, allowing for remote management of large numbers of computers in data centers or by their customers. Administrators can perform tasks like remote OS installations, app installations/uninstallations, and system control, even when the server is powered off. This type of system management is commonly referred to as “lights-out.”
Security firm Eclypsium analyzed the leaked AMI firmware from the ransomware attack and discovered vulnerabilities that had been present for years. These vulnerabilities could be exploited by local or remote attackers who have access to the industry-standard remote-management interface called Redfish. Using this interface, attackers could execute malicious code on every server within a data center.
Until the vulnerabilities are patched with an update released by AMI, they provide opportunities for financially motivated or state-sponsored hackers to gain superuser access within highly sensitive cloud environments worldwide. Once inside, attackers could deploy ransomware or espionage malware at very low levels within the compromised systems. They may also cause physical damage to servers or trigger perpetual reboot loops that the victim organization cannot interrupt. Eclypsium warns that these events could result in “lights out forever” scenarios.
The severity of the vulnerabilities varies from high to critical, encompassing unauthenticated remote code execution and unauthorized device access with superuser permissions. Remote attackers can exploit these vulnerabilities through the Redfish remote management interface or from a compromised host operating system. Redfish, which has replaced traditional IPMI, provides a standardized API for managing a server’s infrastructure in modern data centers. It is supported by major server and infrastructure vendors, as well as the OpenBMC firmware project used in many hyperscale environments.
These vulnerabilities pose a significant risk to the technology supply chain that underpins cloud computing. Vulnerabilities in a component supplier affect numerous hardware vendors, leading to potential threats for cloud services. Consequently, these vulnerabilities can compromise both directly owned hardware and the hardware supporting the cloud services used by organizations. They can also impact upstream suppliers, necessitating discussions regarding supply chain risk management with key third-party partners.
BMCs are designed to offer administrators near-total and remote control over managed servers. AMI, a leading provider of BMCs and BMC firmware, serves a wide range of hardware vendors and cloud service providers. Hence, these vulnerabilities affect a vast number of devices, potentially enabling attackers to gain control over, or cause damage to, not only devices but also data centers and cloud service infrastructures. The same logic flaws may affect devices in fallback data centers located in different geographic regions but operated by the same service provider, challenging assumptions made by cloud providers and their customers regarding risk management and operational continuity.
The researchers point out that, if they could identify these vulnerabilities and create exploits using publicly available source code, there is no reason why malicious actors cannot do the same. Furthermore, even without access to the source code, the vulnerabilities can still be identified by decompiling the BMC firmware images. While there is no indication that malicious parties have already done so, there is also no way to confirm the absence of such activity.
The researchers have privately notified AMI about these vulnerabilities, and the company has developed firmware patches. These patches are accessible to customers through a restricted support page, and AMI has also published an advisory regarding the vulnerabilities.
The specific vulnerabilities identified are as follows:
– CVE-2023-34329: An authentication bypass via HTTP headers with a severity rating of 9.9 out of 10.
– CVE-2023-34330: Code injection via Dynamic Redfish Extension with a severity rating of 8.2.