Three new security vulnerabilities that create significant supply chain risk have been discovered. The vulnerabilities, which were discovered and reported by Eclypsium researchers, affect American Megatrends – MegaRAC Baseboard Management Controller (BMC) software:
CVE-2022-40259 – Arbitrary Code Execution via Redfish API;
CVE-2022-40242 – Default credentials for UID = 0 shell via SSH;
CVE-2022-2827 – User enumeration via API.
BMC&C Vulnerabilities Create Supply Chain Risk
Called BMC&C vulnerabilities, the issues range in severity from medium to critical. They could be exploited by remote threat actors with access to remote management interfaces. Security researchers warn that the flaws create major risk to the technology supply chain in cloud computing, as they affect several hardware vendors.
“As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use,” the researchers noted in their report.
It is noteworthy that BMC software gives administrators nearly full control over servers. American Megatrends is a leading provider of this type of software, making the vulnerabilities’ potential impact quite large. Potential attacks include taking remote control of affected servers, remote deployment of malware and ransomware, firmware implants, and server physical damage. Currently, it is not known whether the vulnerabilities are exploited in the wild.
The most severe of the vulnerabilities is CVE-2022-40259, rated 9.9 on the CVSS scale.