A crucial safety vulnerability has been disclosed in AMI’s MegaRAC Baseboard Administration Controller (BMC) software program that would permit an attacker to bypass authentication and perform post-exploitation actions.
The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 rating of 10.0, indicating most severity.
“A neighborhood or distant attacker can exploit the vulnerability by accessing the distant administration interfaces (Redfish) or the interior host to the BMC interface (Redfish),” firmware safety firm Eclypsium mentioned in a report shared with The Hacker Information.
“Exploitation of this vulnerability permits an attacker to remotely management the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard elements (BMC or doubtlessly BIOS/UEFI), potential server bodily harm (over-voltage / bricking), and indefinite reboot loops {that a} sufferer can’t cease.”
The vulnerability can additional be weaponized to stage disruptive assaults, inflicting inclined gadgets to repeatedly reboot by sending malicious instructions. This might then pave the way in which for indefinite downtime till the gadgets are re-provisioned.
CVE-2024-54085 is the most recent in a protracted listing of safety shortcomings which were uncovered in AMI MegaRAC BMCs since December 2022. They’ve been collectively tracked as BMC&C –
Eclypsium famous that CVE-2024-54085 is much like CVE-2023-34329 in that it permits for an authentication bypass with an analogous influence. The vulnerability has been confirmed to have an effect on the beneath gadgets –
- HPE Cray XD670
- Asus RS720A-E11-RS24U
- ASRockRack
AMI has launched patches to handle the flaw as of March 11, 2025. Whereas there isn’t any proof that the difficulty has been exploited within the wild, it is important that downstream customers replace their techniques as soon as OEM distributors incorporate these fixes and launch them to their prospects.
“Notice that patching these vulnerabilities is a non-trivial train, requiring system downtime,” Eclypsium mentioned. “The vulnerability solely impacts AMI’s BMC software program stack. Nevertheless, since AMI is on the high of the BIOS provide chain, the downstream influence impacts over a dozen producers.”