Critical AMI BMC Vulnerability Allows Attackers To Bypass Authentication Remotely
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Security researchers have discovered a new critical vulnerability in AMI’s MegaRAC software that enables attackers to bypass authentication remotely.
This latest security flaw, identified as CVE-2024-54085, affects numerous data center equipment and server models, potentially compromising cloud infrastructure security across many organizations worldwide.
The vulnerability exists in the Redfish interface of AMI’s Baseboard Management Controller (BMC) software and impacts various devices including HPE Cray XD670 and Asus RS720A-E11-RS24U servers.
According to security analyses, approximately 1,000 exposed instances were discovered on the public internet through Shodan searches.
.webp)
Exposed instances in Shodan (Source – Eclypsium)
Eclypsium researchers identified that versions of MegaRAC as recent as August 2024 are affected by this authentication bypass vulnerability.
Their investigation revealed the flaw exists in the host-interface-support-module.lua file within the firmware filesystem, allowing attackers to manipulate HTTP header values to circumvent security controls.
The severity of this vulnerability cannot be overstated, with CVSS scores of 10.0 (CVSSv3) and 10.0 (CVSSv4) when Redfish is directly exposed to the internet.
Even in environments where Redfish access is restricted to adjacent networks, the scores remain dangerously high at 9.6 (CVSSv3) and 9.4 (CVSSv4).
Successful exploitation could allow attackers to gain complete remote control of compromised servers, deploy malware or ransomware, tamper with firmware, physically damage hardware through over-voltage conditions, or create indefinite reboot loops that victims cannot recover from without re-provisioning.
Exploit Details
The vulnerability stems from improper input validation in the Redfish interface.
The vulnerable code examines HTTP header values but can be tricked by specially crafted requests. When a user adds an X-Server-Addr header, the lighttpd web server structures it with user input followed by the server’s actual address:-
X-Server-Addr: , ::ffff:1.2.3.4
The code uses a regex expression that extracts everything up to the first colon, meaning if an attacker sends “169.254.0.17:” as input, the system extracts “169.254.0.17” which matches database values and bypasses authentication.
A simple exploit example looks like:-
import requests print( json.dumps(requests.post( 'https://:8443/redfish/v1/AccountService/Accounts', json={ 'Name': 'Hax0r', 'Password': 'password', 'UserName': 'demo712', 'RoleId': 'Administrator', }, verify=False, headers={'X-Server-Addr': '169.254.0.17:' } ).json(), indent=2) )
AMI has released patches to OEM manufacturers who must now incorporate fixes into updates for their customers.
Organizations are advised to ensure remote management interfaces are not exposed externally and to perform regular firmware updates on all servers.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Critical AMI BMC Vulnerability Allows Attackers To Bypass Authentication Remotely
Author: Tushar Subhra DuttaSecurity researchers have discovered a new critical vulnerability in AMI’s MegaRAC software that enables attackers to bypass authentication remotely.
This latest security flaw, identified as CVE-2024-54085, affects numerous data center equipment and server models, potentially compromising cloud infrastructure security across many organizations worldwide.
The vulnerability exists in the Redfish interface of AMI’s Baseboard Management Controller (BMC) software and impacts various devices including HPE Cray XD670 and Asus RS720A-E11-RS24U servers.
According to security analyses, approximately 1,000 exposed instances were discovered on the public internet through Shodan searches.
Exposed instances in Shodan (Source – Eclypsium)Eclypsium researchers identified that versions of MegaRAC as recent as August 2024 are affected by this authentication bypass vulnerability.
Their investigation revealed the flaw exists in the host-interface-support-module.lua file within the firmware filesystem, allowing attackers to manipulate HTTP header values to circumvent security controls.
The severity of this vulnerability cannot be overstated, with CVSS scores of 10.0 (CVSSv3) and 10.0 (CVSSv4) when Redfish is directly exposed to the internet.
Even in environments where Redfish access is restricted to adjacent networks, the scores remain dangerously high at 9.6 (CVSSv3) and 9.4 (CVSSv4).
Successful exploitation could allow attackers to gain complete remote control of compromised servers, deploy malware or ransomware, tamper with firmware, physically damage hardware through over-voltage conditions, or create indefinite reboot loops that victims cannot recover from without re-provisioning.
Exploit Details
The vulnerability stems from improper input validation in the Redfish interface.
The vulnerable code examines HTTP header values but can be tricked by specially crafted requests. When a user adds an X-Server-Addr header, the lighttpd web server structures it with user input followed by the server’s actual address:-
X-Server-Addr: , ::ffff:1.2.3.4
The code uses a regex expression that extracts everything up to the first colon, meaning if an attacker sends “169.254.0.17:” as input, the system extracts “169.254.0.17” which matches database values and bypasses authentication.
A simple exploit example looks like:-
import requests print( json.dumps(requests.post( 'https://:8443/redfish/v1/AccountService/Accounts', json={ 'Name': 'Hax0r', 'Password': 'password', 'UserName': 'demo712', 'RoleId': 'Administrator', }, verify=False, headers={'X-Server-Addr': '169.254.0.17:' } ).json(), indent=2) )
AMI has released patches to OEM manufacturers who must now incorporate fixes into updates for their customers.
Organizations are advised to ensure remote management interfaces are not exposed externally and to perform regular firmware updates on all servers.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
