- American Megatrends International Released a Solution to Megarac Baseboard Management Controller (BMC)
- Different OEMs are now implementing the fix in their products
- ASUS released a patch to address the error
Asus has patched a security error that could have bricked servers.
The error is tracked as CVE-2024-54085 and has the maximum seriousness error-10/10. As the company explained, it affects the American Megatrends International’s (AMI) Megarac Baseboard Management Controller (BMC), a firmwar solution that enables out-of-band or “Lights-out” Remote Server Management.
With BMC, administrators can monitor, troubleshoot and control servers even when off.
Remote control
“AMIS SPX contains a vulnerability in BMC, where an attacker can bypass approval externally through the Redfish host interface,” says on CVE’s NVD page. “Successful exploitation of this vulnerability can lead to a loss of confidentiality, integrity and/or accessibility.”
BMC is used by “over a dozen” server hardware suppliers, including HPE, ASUS and ASROCK.
Eclypsium security researchers who wrote an in-depth report on the error said it could be abused by malware infections and even ransomware attacks:
“Utilization of this vulnerability allows an attacker to remotely control the compromised server, external implementing malware, ransomware, firmware manipulation, brick components (BMC or potentially BIOS / UEFI), potential server physical damage (overvoltage / brick) and indefinite reboot that a victim cannot stop.”
Ami released a patch in mid -March, it was said, but it took OEM’s time to implement it. For example, HPE published a security bulletin on March 20 with the vulnerability of the HPE Cray XD670 server. This Bulletin also confirmed that the vulnerability could externally be exploited to enable the approval of bypass. In addition, reports indicate that HPE has released security updates for their products that integrate AMI’s FIX into CVE-2024-54085.
Asus has now addressed the error of four motherboards.
Users are advised to upgrade their BMC company to these versions:
Pro WS W790E-SAGE SE-VERSION 1.1.57
Pro WS W680M-ACE SE-VERSION 1.1.21
Pro WS WRX90E-SAGE SE-VERSION 2.1.28
Pro WS WRX80E-SAGE SEE WIFI VERSION 1.34.0
Since this is an error in the maximum severity that allows ransomware infections, users are advised to use the update without delay.
Via Bleeping computer
