A critical security vulnerability has been discovered in AMI’s MegaRAC Baseboard Management Controller (BMC) software, identified as CVE-2024-54085, sending shockwaves across the tech community due to its severe potential for remote attacks. This flaw enables attackers to bypass authentication protocols, offering them the ability to take control over compromised servers, deploy harmful malware, tamper with firmware, and even cause significant hardware damage or reboot loops. With a CVSS v4 score of 10.0, this vulnerability’s extreme severity cannot be overstated. The primary targets of this flaw are remote management interfaces or internal host-to-BMC interfaces used in countless devices worldwide.
As the latest addition to a series of security issues affecting AMI MegaRAC BMCs since the end of 2022, CVE-2024-54085 compounds the already critical vulnerabilities landscape with prior notable flaws such as CVE-2022-40259, which permits arbitrary code execution, and CVE-2023-34329, which facilitates authentication bypass. Recognized devices impacted by this newly discovered flaw include prominent models like the HPE Cray XD670, Asus RS720A-E11-RS24U, and specific products from ASRockRack. The vulnerability’s reach signifies a vast potential for disruption across multiple industries reliant on these devices for essential infrastructure operations.
Response from Manufacturers and Impact on the Industry
AMI, in response to this escalating security threat, has released critical patches starting March 11, making them available for integration. Prominent manufacturers like HPE and Lenovo have taken swift action by incorporating these patches into their respective products. However, the process of updating these systems is not without challenges; it demands significant downtime, thus complicating the patching efforts for operational environments that cannot afford extended periods of inactivity. The firmware security company, Eclypsium, has detailed this flaw, stressing the extensive downstream impact owing to AMI BMC software’s pervasive presence in the BIOS supply chain.
The absence of evidence indicating that this critical vulnerability has been exploited in the wild offers a slight respite. Nonetheless, it does not diminish the urgency with which OEM vendors must adopt AMI’s patches. The far-reaching implications of failing to secure these systems underscore the necessity for vigilance in managing firmware security risks. This proactive approach is crucial to prevent potentially catastrophic disruptions that could arise from neglecting timely updates. For organizations and end-users operating affected devices, staying informed about the latest updates and patches is essential for safeguarding against further security breaches.
The Path Forward
Organizations and firms must take immediate action to address the critical security vulnerability, CVE-2024-54085, discovered in AMI’s MegaRAC Baseboard Management Controller (BMC) software. The vulnerability has potential for severe remote attacks, enabling attackers to bypass authentication protocols, take control over compromised servers, deploy harmful malware, tamper with firmware, and cause significant hardware damage or reboot loops. With a CVSS v4 score of 10.0, this vulnerability’s extreme severity cannot be overstated.
CVE-2024-54085 adds to a series of security issues affecting AMI MegaRAC BMCs since late 2022, including CVE-2022-40259, which allows arbitrary code execution, and CVE-2023-34329, which enables authentication bypass. Impacted devices include notable models like the HPE Cray XD670, Asus RS720A-E11-RS24U, and certain ASRockRack products. The vulnerability’s widespread reach indicates a substantial risk for disruption across industries that depend on these devices for vital infrastructure operations.