Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. [Updated] Vulnerabilities in American Megatrends, Inc. MegaRAC Baseboard Management Controller software
Alerts

[Updated] Vulnerabilities in American Megatrends, Inc. MegaRAC Baseboard Management Controller software

6 December 2022

Security researchers from Eclypsium have discovered three vulnerabilities (CVE-2022-40259, CVE-2022-40242 and CVE-2022-2827), affecting the American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software.

The vulnerabilities are:

  • CVE-2022-40259: An arbitrary code execution via Redfish API that demands the attacker to already have a minimum level of access on the device.

  • CVE-2022-40242: Default credentials for sysadmin user, allowing attackers to establish administrative shell.

  • CVE-2022-2827: This vulnerabilty allows attackers to test for the presence of user accounts by iterating through a list of possible account names.

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorised device access with superuser permissions and perform remote code execution.

System administrators are advised to minimise the external exposure of server management interfaces and are recommended to disable unnecessary remote administration options and add remote authentication steps, where possible.

System administrators are also advised to monitor the websites of your own Original Equipment Manufacturers (OEM) for firmware updates and perform any necessary updates as and when they are released.

More information is available here:

https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/

https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-impact-servers-from-amd-arm-hpe-dell-others/

Back to top