Firmware vulnerabilities in millions of computers could give hackers superuser status

Two years ago, ransomware crooks breached hardware-maker Gigabyte and dumped more than 112 gigabytes of data that included information from some of its most important supply-chain partners, including Intel and AMD. Now researchers are warning that the leaked information revealed what could amount to critical zero-day vulnerabilities that could imperil huge swaths of the computing world.

 

The vulnerabilities reside inside firmware that Duluth, Georgia-based AMI makes for BMCs (baseboard management controllers). These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it's turned off. BMCs provide what’s known in the industry as “lights-out” system management.

Lights-out forever

Researchers from security firm Eclypsium analyzed AMI firmware leaked in the 2021 ransomware attack and identified vulnerabilities that had lurked for years. They can be exploited by any local or remote attacker with access to an industry-standard remote-management interface known as Redfish to execute malicious code that will run on every server inside a data center.

 

Until the vulnerabilities are patched using an update AMI published on Thursday, they provide a means for malicious hackers—both financially motivated or nation-state sponsored—to gain superuser status inside some of the most sensitive cloud environments in the world. From there, the attackers could install ransomware and espionage malware that runs at some of the lowest levels inside infected machines. Successful attackers could also cause physical damage to servers or indefinite reboot loops that a victim organization can’t interrupt. Eclypsium warned such events could lead to “lights out forever” scenarios.

 

In a post published Thursday, Eclypsium researchers wrote:

 

These vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions. They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system. Redfish is the successor to traditional IPMI and provides an API standard for the management of a server’s infrastructure and other infrastructure supporting modern data centers. Redfish is supported by virtually all major server and infrastructure vendors, as well as the OpenBMC firmware project often used in modern hyperscale environments.

These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services. As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use. They can also impact upstream suppliers to organizations and should be discussed with key 3rd parties as part of general supply chain risk management due diligence.

BMCs are designed to provide administrators with near total and remote control over the servers they manage. AMI is a leading provider of BMCs and BMC firmware to a wide range of hardware vendors and cloud service providers. As a result, these vulnerabilities affect a very large number of devices, and could enable attackers to gain control of or cause damage not only to devices but to data centers and cloud service infrastructure. The same logic flaws may affect devices in fall-back data centers in different geographic regions part of the same service provider, and can challenge assumptions cloud providers (and their customers) often make in the context of risk management and continuity of operations.

 

The researchers went on to note that if they could locate the vulnerabilities and write exploits after analyzing the publicly available source code, there’s nothing stopping malicious actors from doing the same. And even without access to the source code, the vulnerabilities could still be identified by decompiling BMC firmware images. There's no indication malicious parties have done so, but there's also no way to know they haven't.

 

The researchers privately notified AMI of the vulnerabilities, and the company created firmware patches, which are available to customers through a restricted support page. AMI has also published an advisory here.

 

The vulnerabilities are:

• CVE-2023-34329, an authentication bypass via HTTP headers that has a severity rating of 9.9 out of 10, and
• CVE-2023-34330, Code injection via Dynamic Redfish Extension. Its severity rating is 8.2.

Dire outcomes

There are a variety of post-exploit scenarios that depend on the specific configurations inside vulnerable environments and methods used by parties exploiting the vulnerabilities. The most dire outcome follows when an attacker combines the two vulnerabilities. The researchers wrote:

 

When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it.

 

The Redfish interface allows for two authentication options—“basic auth,” which uses a mechanism supported by some BIOS firmware, and “no auth,” which only verifies that communication is coming from the USBO network address, also known as the internal host interface. Attackers can exploit CVE-2023 to execute malicious code.

 

“By spoofing certain HTTP headers, an attacker can trick BMC into believing that external communication is coming in from the USB0 internal interface,” the researchers wrote. “When this is combined on a system shipped with the No Auth option configured, the attacker can bypass authentication, and perform Redfish API actions.”

 

One example would be to create an account that poses as a legitimate administrator and has all system rights afforded one.

 

CVE-2023-34330, meanwhile, can be exploited on systems with the no auth setting to effectively execute code of their choice. In the event the no auth option isn’t enabled, the attackers first must have BMC credentials. That’s a higher bar but by no means out of reach for sophisticated actors.

 

The vulnerabilities can be exploited by attackers who gain access to a server's BMC, but also by those with initial access into a data center or administrator network. In the event systems are misconfigured to allow direct access, the exploits can also be exploited over the Internet. Yet another possibility is exploiting the vulnerabilities after compromising the operating system of the server.

Patch early and often

The update AMI is making available to customers patches five other vulnerabilities credited to security firm Nozomi Labs.

 

HD Moore, the CTO and co-founder at runZero and a researcher with experience breaking into data centers through their BMCs, said installing the update is crucial.

 

“The attack chain identified by Eclypsium allows a remote attacker to completely and possibly permanently compromise vulnerable MegaRAC BMCs,” he explained. “This attack would be 100 percent reliable and difficult to detect after the fact.”

 

He said that updating the vulnerable AMI firmware won’t be especially onerous if environments have either:

 

1) Configured BMC-enabled ethernets used for out-of-band administration to use a dedicated network, something that’s common for many cloud/hosting providers). BMC interfaces, including Redfish and IPMI, allow remote upgrades.

 

2) Put in place automation processes for pushing patches/upgrades through the server operating system itself.

 

Organizations that rely on AMI-powered BMCs to manage their servers should install the updates as soon as possible. These organizations should also familiarize themselves with Operational Directive 23-02, issued by the Cybersecurity and Infrastructure Security Agency. The directive is binding on all US federal government agencies and should be considered best practices by all other organizations.

 

Source