How To Detect AMI BMC Vulnerabilities (CVE 2024 54085) with Eclypsium
Critical BMC Vulnerability Added to CISA KEV Catalog
Overview
CISA has just added a new baseboard management controller (BMC) vulnerability to their catalog of known exploited vulnerabilities. This is significant because it’s the first BMC vulnerability that I’m aware of being added to the KEV catalog.
As Dan Goodin from Ars Technica put it perfectly: “This actively exploited vulnerability could give attackers extraordinary control over server fleets.”
The Vulnerability Details
The vulnerability was discovered in AMI MegaRAC firmware, which is used in servers from major manufacturers including AMD, ARM, Fujitsu, Gigabyte, and Supermicro. It has received the highest possible severity rating of 10 out of 10.
AMI MegaRAC firmware is a widely used package that allows large fleets of servers to be remotely accessed and managed even when power is unavailable or the operating system isn’t functioning. This makes the vulnerability particularly dangerous.
Understanding Baseboard Management Controllers
A baseboard management controller is a specialized chip that exists inside many servers and other data center infrastructure components. It’s used for remote management capabilities. When this component is vulnerable, it can grant attackers extremely deep and persistent access to the environment.
The ASPEED chip is one example of these components that are typically:
- Not being monitored by security teams
- Not being scanned by vulnerability managers
- Operating outside the visibility of typical security solutions in network environments or data centers
The Broader Impact
I want to reference an excellent article from Cloudflare from 2022, when Eclypsium notified them about a critical vulnerability affecting BMC software in their fleet. Cloudflare provided excellent diagrams showing exactly how a baseboard management controller is positioned, what it has access to, and the potential impact of an attacker gaining access to a BMC.
The fact that one of these vulnerabilities is being actively exploited in the wild is a really big deal.
Discovering BMCs in Your Environment Using Eclypsium
Let me walk you through how to discover this type of component and determine if it’s vulnerable in your environment using Eclypsium.
Asset Discovery
Starting at the Eclypsium Management Console, navigate to the assets list. This shows a full inventory of everything Eclypsium can see or has scanned in your environment, along with their integrity status, vulnerability information, and firmware versions (which is particularly meaningful for BMC firmware).
In our demo environment, we have a server BMC from AMI listed at the top. Clicking into that device reveals an AMI BMC Linux component showing one vulnerability.
Vulnerability Details
Opening the vulnerability details shows CVE-2024-54085, the vulnerability that was just added to the CISA KEV catalog.
The overview states: “AMI’s SPX contains a vulnerability in the BMC where an attacker may bypass authentication remotely through the Redfish host interface. A successful exploitation of this vulnerability could lead to loss of confidentiality, integrity, or availability.”
Patching Challenges
AMI has issued a patch for this vulnerability, but there’s a complication. Because it’s firmware that exists in components provided by other vendors like ASPEED, organizations must wait for their component vendor to incorporate the patch issued by AMI. This creates a potential lag time in patch availability.
When a vulnerability gets added to the CISA Known Exploited Vulnerabilities catalog, it triggers Binding Operational Directive 22-01, which requires federal agencies to patch or mitigate the vulnerability within three weeks. Due to the supply chain layers involved in rolling out this patch, meeting that requirement will be challenging.
While patching might take time, implementing mitigating controls and micro-segmentation to ensure this vulnerability isn’t accessible and can’t be exploited by attackers is crucial right now.
Inventory Management
To get a complete inventory of baseboard management controllers in your environment and see what brands you have deployed, use Eclypsium’s filtering capabilities:
- From the asset list, click “Filters”
- Select “Baseboard Management”
- This displays only components or devices with baseboard management controller components
In our demo environment, we have many GPU servers in the AI data center area. None of these have the vulnerable AMI MegaRAC firmware, but clicking into individual devices reveals their baseboard management details. For example, these devices have Supermicro baseboard management controllers.
Additional Vulnerabilities
Exploring other devices with baseboard management controllers may reveal additional vulnerabilities. For instance, a Nokia device in our environment shows eight vulnerabilities, with two affecting the baseboard management controller. One of these is CVE-2019-6260, nicknamed “Pants Down,” which is another unauthenticated arbitrary access vulnerability in BMCs.
The Bigger Picture
Historically, Eclypsium has reported many baseboard management controller vulnerabilities, but this is the first time one has been added to the Known Exploited Vulnerabilities list. This represents a continuation of an attacker behavior trend where cyber attackers target low-level network device infrastructure components that are typically:
- Not monitored by cybersecurity solutions
- Have extensive access to other components and assets
- Provide an excellent starting point for establishing a beachhead
- Enable lateral movement for data exfiltration without detection
- Allow attackers to take over other devices in the environment
Conclusion
Use Eclypsium to inventory the baseboard management controllers in your environment and gain visibility into which vendors and firmware versions are installed. This helps you identify any instances of AMI MegaRAC firmware that might be vulnerable to CVE-2024-54085, which has just been added to the KEV catalog.
This proactive approach to BMC security is essential for protecting your infrastructure from these sophisticated, low-level attacks.
