For example, the attacker American Megatrends Inc. (AMIs) can target vulnerabilities in baseboard management controllers (BMCs) and use malicious code to attack servers in cloud data centers.
hazardous supply chain
Administrators can maintain servers remotely using the BMC management solution (keywords: out-of-band, lights-out). Remote maintenance from AMI is widespread and is used by AMD, Asus, Dell, Nvidia, and Qualcomm.
According to a report by Eclypsium security researchers Stuck Three Vulnerabilities (CVE-2022-40259″Critical“, CVE-2022-40242”High“, CVE-2022-2827”High“) in the BMC firmware. As a result, all manufacturers are affected by the vulnerabilities. In this case, there is talk of a supply chain attack.
Malicious code attacks are possible
If attackers successfully target the first two vulnerabilities, they have an administrator shell at their disposal. They could then, among other things, execute malicious code and compromise entire server parks. For this, attackers only need to send the prepared URL to the remote management interface Redfish, for example. One such case was reported in early 2022, when a rootkit slipped through a gap in HPE’s remote maintenance iLO.
According to security researchers, it is not yet known whether there have been previous attacks in the current case. The researchers’ report does not specifically state whether security patches are already in place for the vulnerabilities mentioned. Even if there are security patches, updates are difficult to install across the board because of the many parties and products involved. A major problem in supply chain attacks.
protect effectively
In general security instructions, they advise administrators, among other things, to keep all servers up to date and not to make BMC publicly accessible. If there is no other way, the administrator should secure access via VPN or SSH against unauthorized access with strong authentication. The security researchers say that after scanning, they only discovered a comparatively small number of BMCs that can be accessed directly via the Internet.
(of)
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.