Take action: If you are managing servers - assume that your servers are using AMI firmware - it's very probable that they are. Lock down the lights-out management interfaces of all your servers behind a VPN. Make sure that someone didn't expose them on the internet - accidentally or because they were too lazy to log in to VPN. Finally, follow your server vendor firmware updates for a patch.

---

Learn More

Security researchers have discovered two critical severity vulnerabilities in the MegaRAC Baseboard Management Controller (BMC) software developed by American Megatrends International.

The MegaRAC BMC software provides out-of-band and lights-out remote system management capabilities, allowing administrators to troubleshoot servers remotely. This firmware is used by numerous server manufacturers, including AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, ASRock, and others, who supply equipment to cloud service and data center providers.

The two security flaws were discovered after researchers analyzed the AMI source code that was stolen by the RansomEXX ransomware gang. Exploiting these vulnerabilities enables attackers to bypass authentication or inject malicious code via Redfish remote management interfaces, which are exposed to remote access.

• CVE-2023-34329 (CVSS 3.0 base score of 9.9/10) allows for authentication bypass through HTTP header spoofing
• CVE-2023-34330 (CVSS 3.0 base score of 6.7/10) allows for code injection through the Dynamic Redfish Extension interface.

By combining these vulnerabilities, an attacker with network access to the BMC management interface, but lacking credentials, can achieve remote code execution on servers running the vulnerable firmware.

The attack is executed by tricking the BMC into perceiving the HTTP request as originating from the internal interface, allowing the attacker to upload and execute arbitrary code remotely. The impact of these exploits is severe, including remote control of compromised servers, deployment of malware or ransomware, potential firmware or motherboard bricking, and indefinite reboot loops that victims cannot interrupt.