Weeks after AMI announced a patch for a serious vulnerability in its MegaRAC baseband management controller (BMC) firmware, which is prevalent in enterprise servers, OEMs are still lagging in rolling out updates. A BMC allows IT professionals to manage servers remotely, even when they are offline, raising the potential risks from vulnerabilities like this one.
The vulnerability, identified as CVE-2024-54085, was disclosed by AMI on March 11. However, many manufacturers, including Lenovo and Asus, took weeks to deploy their fixes. Lenovo’s update arrived on April 17, while Asus’s patches appeared recently, with no confirmed dates for their release.
Early responses came from Hewlett Packard Enterprise (HPE), which released an update on March 20 for its HPE Cray XD670 systems. Other manufacturers that utilize AMI’s MegaRAC BMC include AMD, Ampere Computing, and Nvidia. Interestingly, Dell confirmed the security of its systems, stating they use their proprietary Integrated Dell Remote Access Controller (iDRAC) instead.
Eclypsium, the firm that discovered the flaw, noted that it affects AMI’s BMC software stack, which could potentially lead to remote server control, deployment of malware, or even permanent damage to hardware. Although there has been no reported exploitation of this vulnerability to date, the speed with which patches are issued is crucial for preventing future incidents.
This slow patching process highlights the complexity involved in managing software vulnerabilities across multiple vendors. IT departments often face challenges, as not all products from a single vendor may utilize the same interfaces.
Moreover, Eclypsium has identified a series of vulnerabilities in AMI’s MegaRAC BMC, including issues dating back to late 2022. Organizations are advised to ensure their server management interfaces are not exposed to the internet, keep firmware up to date, and monitor for signs of compromised systems.
For further details about the vulnerability, you can check Eclypsium’s blog post and CVE disclosures.
