Security vulnerability with maximum risk level in remote server maintenance
Ethernet ports for remote maintenance do not belong on the public network, as a current security vulnerability impressively demonstrates.
(Image: c’t Magazin)
A full ten points in the Common Vulnerability Scoring System (CVSS) has to be achieved first. This has now been achieved by the remote maintenance firmware AMI MegaRAC, which runs on baseboard management controllers (BMCs) of servers from Asus, Asrock Rack, HPE and Lenovo, among others.
Security experts from Eclypsium have discovered the vulnerability CVE-2024-54085 with a CVSS score of 10.0 (critical) in AMI MegaRAC. It is also called "Redfish Authentication Bypass" because it is located in a code module for the Redfish remote maintenance API. The latter is supposed to be much more secure than the older Intelligent Platform Management Interface (IPMI), which is known to be insecure.
AMI provides information on CVE-2024-54085 as well as patches, although the manufacturers of the actual remote maintenance systems still have to incorporate these into their respective firmwares.
Videos by heise
First updates available
HPE (Cray XD670 Server) and Lenovo, among others, are already providing patched firmware versions. According to Eclypsium, servers from Asus and Asrock Rack are also affected.
In principle, however, servers should be configured in such a way that remote maintenance is either switched off or the designated ports are only accessible from a specially protected network.
Unfortunately, there are still servers (mainboards) whose BIOS activates remote maintenance by default (BIOS Setup Defaults) with insecure access data and at the same time enables access to it via one of the network sockets actually intended for user data. This is why specialized search engines such as Shodan have for years continued to find thousands of systems whose BMC/IPMI accesses can be reached on UDP port 623.
(ciw)
