A critical vulnerability in MegaRAC BMC allows unauthorized attackers to execute code on servers. MegaRAC BMC is one of the world’s most popular server management solutions.

On-premises datacenter operators and cloud providers use MegaRAC BMC to remotely manage servers. The technology is incorporated into systems from manufacturers such as Dell EMC, HPE, Lenovo and AMD.

In August 2022, security firm Eclypsium discovered three vulnerabilities in the firmware of MegaRAC BMC. The vulnerabilities were recently disclosed.

Critical vulnerability

The most severe issue (CVE-2022-40259) received a CVSS score of 9.9. The vulnerability allows attackers to execute code by sending a Redfish API call to systems running MegaRAC BMC firmware.

Redfish is an API standard for server management. Most infrastructure vendors support the standard. The firmware of MegaRAC BMC contains an implementation of Redfish. A flaw in the implementation allows attackers to send and execute code on a system through a Redfish API call.

Redfish API calls aren’t accepted by every sender. An attacker needs an account with low-level privileges to exploit the vulnerability.

Vulnerabilities with such a condition rarely receive CVSS scores of 9.9, but this is an exceptional case. MegaRAC BMC is an industry standard for server management. The firmware is incorporated into a huge number of hardware systems.

No simple patch

MegaRAC BMC is developed by American Megatrends. Over the past few months, the organization collaborated with Eclypsium to mitigate the impact of the vulnerability.

As MegaRAC BMC is incorporated into various hardware systems and software solutions, it’s difficult to resolve the vulnerability with a single patch.

According to Eclypsium, it’s currently unknown whether the vulnerability is being actively exploited by cybercriminals. The security company advised organizations to take several precautions.

Admin accounts and usernames

In addition to the problem in Redfish, Eclypsium discovered two vulnerabilities with lower CVSS scores. First, MegaRAC BMC uses a default admin account with a default password, allowing attackers to gain access to high privileges (CVE-2022-40242).

Second, a flaw in MegaRAC BMC’s password recovery process allows attackers to check whether a username is in use, which can help deduct the usernames of accounts (CVE-2022-2827).

Tip: OT data center security should be much higher on the agenda