Attacks on remote maintenance weak points in servers from HPE, Lenovo and Co.

Attackers are targeting several security vulnerabilities in the wild, warns the US IT security authority CISA. The most dangerous are ongoing attacks on the remote maintenance firmware in AMI MegaRAC, which is installed in servers from Asus, Asrock Rack, HPE and Lenovo, for example. There are also attacks on security leaks in D-Link's DIR-859 routers and on an ancient FortiOS firmware backdoor.

In a security alert, CISA warns of the ongoing attacks and declares that it has added them to the “Known Exploited Vulnerabilities” catalog, or KEV for short. This is a call to action for US authorities, but it should also be a wake-up call for IT managers in Germany, Austria, and Switzerland to implement countermeasures such as firmware and software updates.

Attacked remote maintenance firmware vulnerability

The vulnerability in the AMI MegaRAC remote maintenance firmware that has already been attacked became known in mid-March. This firmware runs on baseboard management controllers (BMCs) of servers from Asus, Asrock Rack, HPE and Lenovo, among others. It has reached the maximum CVSS value of 10.0 out of 10 and is therefore considered a highly critical risk. It is located in a module for the Redfish remote maintenance API and has therefore been labeled “Redfish Authentication Bypass”: It is possible to bypass the remote maintenance login (CVE-2024-54085 / EUVD-2024-54252, CVSS 10.0, risk “critical”). AMI provided server manufacturers with information and patches, but they first had to incorporate them into their firmware and admins had to apply the updates.

This apparently did not happen, at least in part, so that server systems with AMI MegaRAC are still vulnerable. Admins may also have ignored the “best practices” or overlooked the fact that the BIOS settings activate remote maintenance by default and at the same time activate access via the network sockets intended for user data instead of simply restricting it for a separate maintenance network. Often, these are even exposed on the internet.

In addition, a vulnerability in the D-Link DIR-859 routers is under attack, which the manufacturer classified as critical (CVE-2024-0769 / EUVD-2024-16557, CVSS 5.3, risk “medium”), deviating from the CVSS value at the beginning of 2024. However, security vulnerabilities in these routers were already attacked in mid-2023 by the Mirai botnet. Frightening realization: The devices had already reached the end-of-life at that time and should be replaced by hardware still supported by the respective manufacturer. Apparently, however, some organizations are still using them.

However, observed attacks on a Fortinet FortiOS vulnerability may even surpass this: It has been known since 2019 that a hardcoded cryptographic key encrypts sensitive data in configuration backups, making it easy for attackers to decrypt them with knowledge of the key – and thereby obtain user passwords (except the admin's), passphrases for private keys and high-availability passwords (CVE-2019-6693 / EUVD-2019-16251, CVSS 6.5, risk “medium”). Firmware updates to correct this have been available since November 2019.

CISA does not provide any details about the attacks, such as their type and scope. Nevertheless, IT managers should check whether they may have the systems now under attack in their organization and take countermeasures if necessary.

(dmk)