Lenovo patches have now appeared as the slow-motion industry effort to fix the issue trundles on.
Weeks after BIOS developer AMI released an update fixing a critical vulnerability in its MegaRAC baseband management controller (BMC) firmware used in many enterprise servers and storage systems, OEM patches addressing the issue are slowly trickling out.
A BMC is an embedded chip that allows IT teams to monitor, troubleshoot, and control servers remotely via the industry standard Redfish interface, even when they are turned off or the OS is unresponsive. This makes exploits particularly dangerous.
A patch for the latest vulnerability, Identified as CVE-2024-54085, was released by AMI on March 11. However, its fix was only the beginning of the story; numerous OEMs still had to process the update for their individual server products.
Unfortunately, this has taken time, increasing the risk that an attacker will exploit the issue.
Who is affected
The latest vendor to release patches was Lenovo, which appears to have taken until April 17 to release its patch. And although Asus patches for four motherboard models appeared only this week, the exact time these were posted is unconfirmed; the dates on the updates range from March 12 to March 28.
Among the first to release a patch was Hewlett Packard Enterprise (HPE), which on March 20 released an update for its HPE Cray XD670, used for AI and high-performance computing (HPC) workloads. Other OEMs known to use AMI’s MegaRAC BMC include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm.
Dell, on the other hand, has confirmed that its systems are unaffected by the MegaRAC issue, since it uses its own Integrated Dell Remote Access Controller (iDRAC) in its servers.
How could attackers exploit the flaw?
A week after the patch was posted by AMI in March, Eclypsium, the company that discovered the vulnerability in late 2024, published more details of its inner workings:
“To our knowledge, the vulnerability only affects AMI’s BMC software stack. However, since AMI is at the top of the BIOS supply chain, the downstream impact affects over a dozen manufacturers,” wrote Eclypsium researchers.
The flaw, scored at the maximum severity of 10, is designated a ‘critical’ flaw on CVSS. It would allow bypass authentication through the Redfish interface, according to Eclypsium, with a range of outcomes, including remote control of the server, deployment of malware/ransomware, and destructive actions such as unstoppable reboot loops and even bricked motherboards.
In short, it would not be a good day for victims, although no exploitation of the vulnerability has so far been detected. But as with any software vulnerability, what counts is the speed and ease with which it is patched.
The first issue illustrated by the apparently slow response to CVE-2024-54085 is the complexity of the patching process when the software involved is part of a supply chain involving more than one vendor.
To complicate matters, not all servers from a given vendor use AMI’s interface, so many IT teams already have more than one such product to look after. For example, while HPE’s mainstream Proliant servers use HPE’s proprietary Integrated Lights-Out (iLO), products in its other lines such as Cray and Apollo use MegaRAC.
Not again
A second worry is the sheer number of vulnerabilities Eclypsium has uncovered in AMI’s MegaRAC BMC in recent times.
In addition to the current vulnerability, these include, since late 2022, CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258, CVE-2023-34329, and CVE-2023-34330.
Ironically, the company discovered the latest flaw when examining AMI’s fix for one of these, CVE-2023-34329, a similarly dangerous authentication bypass issue.
Mitigation
Eclypsium’s mitigation advice in its March post about the flaw was that organizations should ensure that server management interfaces are not exposed externally, that firmware is regularly updated and monitored for signs of compromise, and that all new equipment be patched and checked for out-of-date firmware versions and supply chain implants.
