- American Megatrends International launched a solution for the MEGARAC Franchise Management (BMC) controller (BMC)
- Different OEM are now implementing the solution in their products
- Asus launched a patch to address the error
Asus has paved a security defect that could have blocked servers.
The defect is tracked as CVE-2024-54085, and has the maximum gravity failure-10/10. As the company explained, it affects the management controller of the base of the MEGAGAC base (BMC) of American Megatrends International (AMI), a firmware solution that allows the administration of remote servers out of the band or “off the lights.”
With BMC, administrators can monitor, solve problems and control servers even when they are turned off.
Remote control
“AMI SPX contains vulnerability in the BMC, where an attacker can avoid remote authentication through the redfish host interface,” he says on the NVD page of the CVE. “A successful exploitation of this vulnerability can lead to a loss of confidentiality, integrity and/or availability.”
BMC is used by server hardware suppliers “more than a dozen”, including HPE, Asus and Asrock.
Eclypsium security researchers, who wrote an in -depth report on the error, said it could be abused in malware infections and even ransomware attacks:
“The exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deployment, ransomware, firmware manipulation, components of the brick motherboard (BMC or potentially BIOS / UEFI), potential for physical damage of the server (excessive / brick voltage) and indefinite rebo toops that cannot be stopped.”
It was said that Ami launched a patch in mid -March, but took the time of OEM implement it. HPE, for example, published a security bulletin on March 20, addressing vulnerability for the HPE Cray XD670 server. This bulletin also confirmed that vulnerability could be remotely exploited to allow authentication derivation. In addition, reports indicate that HPE has published security updates for its products that make up the AMI solution for CVE-2024-54085.
Asus has now addressed the error in four base plates.
Users are recommended to update their BMC firmware to these versions:
Pro WS W790E-SAGE SE-VERSION 1.1.57
Pro WS W680M-Ace Se-Version 1.1.21
Pro WS WRX90E-SAGE SE-VERSION 2.1.28
Pro WS WRX80E-SAGE WIFI-VERSION 1.34.0
Since this is a maximum severity defect that allows ransomware infections, users are recommended to apply the update without delay.
Through Bleepingcomputer
