"New BMC Supply Chain Vulnerabilities Pose Threat to Server, Cloud Computing Ecosystem"
Researchers discovered three different security flaws in American Megatrends Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software, posing a threat to technology supply chains and major Information Technology (IT) hardware brands that support cloud computing. According to Eclypsium, a firmware and hardware security company, the identified vulnerabilities, which range in severity from medium to critical, can lead to Remote Code Execution (RCE) and unauthorized device access with superuser privilege. Malicious hackers can take exploit them by gaining access to remote management interfaces, such as Redfish, to take control of the systems and harm cloud infrastructure. Vulnerabilities in a component supplier impact many hardware vendors, which can then affect many cloud services, according to Vladislav Babkin, an Eclypsium security researcher. As a result, these vulnerabilities can endanger servers and hardware that an organization directly owns and the hardware that supports the cloud services it uses. MegaRackBMC is used by many server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan. According to Eclypsium researchers, additional, undiscovered brands are likely similarly vulnerable. BMCs are specialized service processors that are designed to remotely control hardware settings and monitor host systems, even when the machines are turned off. These capabilities have made BMCs a lucrative target for threat actors wanting to plant highly persistent malware that can withstand reinstallation of operating systems and a complete hard drive wipe. This article continues to discuss findings regarding the BMC supply chain vulnerabilities.