WTF?! Security flaws that compromise endpoint devices are challenging enough on their own. A critical vulnerability in a widely used firmware system could pose an even greater threat, one that endangers entire organizations. Worse still, there's no guarantee the hardware vendor has released a patch.
A vulnerability tracked as CVE-2024-54085 is threatening to bring a massive number of server products to their knees. The flaw, which carries a maximum severity rating of 10 out of 10, affects baseboard management controllers sold by American Megatrends under the MegaRAC brand.
In the worst-case scenario, a successful attack could effectively turn any MegaRAC-based server into a compromised access point for an entire organization's IT infrastructure.
BMCs are specialized microcontrollers embedded in server motherboards, providing administrators with low-level access to systems. Through AMI's MegaRAC firmware, administrators can install or reinstall operating systems, deploy applications, power servers on or off, and reboot systems – all remotely. Crucially, this access operates below the operating system level, meaning endpoint security solutions are powerless to detect or block malicious activity at the BMC layer.
The CVE-2024-54085 vulnerability was first discovered and disclosed by security firm Eclypsium in March. It enables remote authentication bypass via a specially crafted HTTP request to a vulnerable BMC. By sending a specific packet of data, an attacker can gain unauthorized access to the BMC without needing valid login credentials, potentially opening the door to widespread abuse of affected servers.
More recently, the US Cybersecurity and Infrastructure Security Agency added CVE-2024-54085, along with two additional vulnerabilities, to its list of bugs that are actively exploited by cybercriminals. These types of issues pose a significant threat to federal organizations, CISA warned.
Additional information from Eclypsium highlights that publicly available exploit code for CVE-2024-54085 could have a severe impact on organizations using BMCs and AMI's MegaRAC products.
Malicious actors could potentially chain multiple BMC vulnerabilities to implant malware directly into the chip's firmware, creating an invisible, persistent threat that cannot be removed through conventional means. Once inside, attackers could harvest access credentials stored on the server and move laterally through the organization's network. Worse still, they could corrupt the BMC firmware, rendering the entire server inoperable.
Eclypsium researchers speculate that state-sponsored espionage groups, particularly those tied to the Chinese government, are well-known for leveraging vulnerabilities of this nature. AMI's MegaRAC firmware is used by a wide range of hardware manufacturers, including AMD, Ampere Computing, ASRock, Arm, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm.
Some vendors have already issued patches to address CVE-2024-54085, and system administrators are strongly advised to verify and apply available updates immediately to protect their infrastructure.
Critical flaw in AMI's MegaRAC firmware puts thousands of servers at risk
