New firmware vulnerabilities could allow hackers to take over millions of computers remotely

In context: Researchers at cybersecurity firm Eclypsium have detailed two new critical vulnerabilities in the MegaRAC Baseboard Management Controller (BMC) software made by American Megatrends International (AMI). BMCs help streamline the management of large server fleets by allowing system administrators to monitor and control them remotely, even when they are switched off. Popularly known as 'lights out' system management, the BMC software offers extensive control over multiple servers at once, making them a lucrative target for hackers.

Given the extensive control BMCs provide to system admins, any security vulnerability in the software is bad news, and even more so when it's from AMI, as its BMC firmware is present in millions of devices from major vendors like Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

The newly discovered vulnerabilities in AMI's BMC firmware are tracked as CVE-2023-34329 and CVE-2023-34330. While the former is a critical authentication bypass issue that can be exploited by spoofing HTTP headers, the latter is a code injection flaw. The vulnerabilities were discovered by analyzing the leaked AMI source code from the 2021 Gigabyte data breach, which saw 112GB of confidential data stolen by the notorious hacking syndicate RansomEXX.

According to Eclypsium's blog post, the new vulnerabilities are a critical threat to organizations everywhere, as malicious actors with access to an affected server can do almost anything with it remotely, including installing or uninstalling any software.

The Eclypsium researchers also described one theoretical scenario to explain what's at stake here. According to them, an attacker could easily take over an affected machine and use its BMC functionality to create a continuous shutdown loop to prevent legitimate users from accessing it. Since the exact origin of an attack like this will be difficult to detect, it could also be used to extort companies who may not have any option other than to pay up to get back control over its network.

The researchers also pointed out that threat actors with control over an organization's systems could surreptitiously access KVM (keyboard/video/mouse) functionality to monitor legitimate users and even control the machines themselves. Another threat is potential tampering with the system's power management, which can brick entire fleets of servers at once.

The researchers say they are not aware of either of the two vulnerabilities being exploited in the wild, but they have published proof-of-concept (PoC) exploits that suggest it is possible for hackers to successfully target affected systems.