An alarming discovery of critical vulnerabilities in AMI’s BMC controllers after a 2021 data breach puts millions of enterprise and cloud servers at risk.

Researchers have identified vulnerabilities in AMI’s BMC controllers used by several server manufacturers. Following a 2021 data breach at GigaByte, targeted by ransomware RansomEXX and Avos Locker, Eclypsium researchers discovered these critical flaws.

These vulnerabilities reside in AMI’s firmware for MegaRAC BMC controllers, autonomous systems for remote server management and maintenance. Administrators can control and manage servers remotely, even when they are turned off. BMC controllers are commonly integrated into the server’s motherboard and connected to a dedicated management network via a physical or logical interface.

Among the discovered flaws, CVE-2023-34329 and CVE-2023-34330 are particularly critical, with a severity score of 10. Attackers, local or remote, could exploit these vulnerabilities to gain super-user status through the standard remote management interface called Redfish. Redfish, successor to the traditional Intelligent Platform Management Interface (IPMI), is used by many major IT infrastructure providers and the OpenBMC project.

This situation presents a broad attack surface potentially affecting millions of on-site and cloud servers. Eclypsium experts warned of risks, including compromised remote server control, deployment of malware and ransomware, and the possibility of modifying motherboard components, leading to physical server damage or infinite reboot loops. They also cautioned that these flaws could be exploited in supply chain attacks.

AMI has responded by releasing patches for these critical flaws and urges affected companies to update their firmware promptly to enhance security.