Weeks after the release of a patch by AMI to address a critical vulnerability in its MegaRAC baseband management controller (BMC) firmware, many Original Equipment Manufacturers (OEMs) are still working on their responses. This firmware is crucial as it enables IT teams to remotely monitor and control servers, even when they are powered down or unresponsive. The vulnerability, identified as CVE-2024-54085, was officially patched by AMI on March 11, but the subsequent updates from various OEMs have been slow to materialize.

Lenovo was one of the most recent companies to roll out a patch, releasing it on April 17. Asus has also provided updates for some motherboard models, although their specific release times remain unclear. Hewlett Packard Enterprise (HPE) was quicker to respond, issuing a patch for its HPE Cray XD670 systems on March 20. Other manufacturers, including AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm, also rely on AMI’s MegaRAC BMC.

In contrast, Dell announced that its products are not affected by this issue, as they use a different system for remote management in their servers.

The vulnerability discovered by Eclypsium allows attackers to bypass authentication through the Redfish interface, potentially enabling remote access and control over the affected servers. This could lead to the deployment of malware, ransomware, or severe operational disruptions. Despite the seriousness of this flaw, there have been no reported exploits so far.

The slow patching process reveals the complexities involved when multiple vendors are in the software supply chain. IT teams often have to manage a range of products from various manufacturers, complicating the update process further. For instance, while HPE’s Proliant servers use its proprietary Integrated Lights-Out (iLO), other models like Cray and Apollo utilize MegaRAC.

Moreover, Eclypsium has highlighted concerns regarding the frequency of vulnerabilities in AMI’s MegaRAC BMC, having uncovered numerous flaws since late 2022.

To mitigate the risks associated with this vulnerability, Eclypsium advises organizations to limit external exposure of server management interfaces, ensure regular firmware updates, and check all new equipment for outdated firmware and potential supply chain issues.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.