• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others


Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.


Ultimate Donator
Jun 26, 2021

Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others​

  • December 5, 2022
  • 10:07 AM
  • 0


Three vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software impact server equipment used in many cloud service and data center providers.
The flaws were discovered by Eclypsium in August 2022 and could enable attackers, under certain conditions, to execute code, bypass authentication, and perform user enumeration.
The researchers discovered the flaws after examining leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware.
MegaRAC BMC is a solution for complete “out-of-band” and “lights-out” remote system management, allowing admins to troubleshoot servers remotely as if standing in front of the device.
MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

Vulnerability details​

The three vulnerabilities discovered by Eclypsium and reported to American Megatrends and impacted vendors are the following:
  • CVE-2022-40259: Arbitrary code execution flaw via Redfish API due to improper exposure of commands to the user. (CVSS v3.1 score: 9.9 “critical”)
  • CVE-2022-40242: Default credentials for sysadmin user, allowing attackers to establish administrative shell. (CVSS v3.1 score: 8.3 “high”)
  • CVE-2022-2827: Request manipulation flaw allowing an attacker to enumerate usernames and determine if an account exists. (CVSS v3.1 score: 7.5 “high”)
The most severe of the three flaws, CVE-2022-40259, requires prior access to at least a low-privileged account to perform the API callback.
“The only complication is the attack sits in the path parameter, but it is not URLdecoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command,” says Eclypisum.
For the exploitation of CVE-2022-40242, the only prerequisite for the attacker is to have remote access to the device.


The first two flaws are very severe due to giving attackers access to an administrative shell without requiring further escalation.
The vulnerabilities could cause data manipulation, data breaches, service outage, business interruption, and more if successfully leveraged.
The third flaw doesn’t have a significant direct security impact, as knowing what accounts exist on the target isn’t enough to cause any damage.
However, it would open the way to brute-forcing passwords or performing credential-stuffing attacks.
“As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers,” comments Eclypsium in the report.
“Standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems.”
System admins are recommended to disable remote administration options and add remote authentication steps where possible.
Additionally, admins should minimize the external exposure of server management interfaces like Redfish and ensure that the latest available firmware updates are installed on all systems.
The funny (weird, not ha-ha) thing is admins are usually the last to implement BIOS updates. It's a "If it ain't broke, don't fix it" attitude. Let's see how long this takes to get fixed. I have to hand it to our guys who handle the cloud side, they are pretty reactive to getting changes done quickly. I am not sure if that's the standard across the industry.