Vulnerabilities in an American Megatrends firmware impact many cloud services and data center serve

Ref# AL2022_84 | Date: Dec 6th 2022


Three vulnerabilities were found and reported in American Megatrends MegaRAC Baseboard Management Controller (BMC) firmware that puts many servers used by cloud services and data centers at risk.  


On August 2022, researchers at the security technology company Eclypsium discovered three vulnerabilities in the MegaRAC BMC from American Megatrends. The vulnerabilities were discovered after the team examined leaked proprietary code of the BMC firmware, claiming that attackers could execute code, bypass authentication, and perform user enumeration under certain circumstances. 

The MegaRAC BMC is a service processor that provides secure, robust, customizable and extendable remote management solution and troubleshooting for servers. The firmware is used by some of the popular server manufactures including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.  

The three vulnerabilities reported by Eclypsium were recorded as follows: 

CVE-2022-40259 – This is an arbitrary code execution flaw via Redfish API due to the improper exposure of commands to the user. Additionally, this flaw requires prior access to a low-privileged account to carry out the code execution. It was given a CVSS v3.1 and a critical score of 9.9. 

CVE-2022-40242 – This is a flaw in the default credentials for the sysadmin user which can allow attackers to establish administrative shell access. An attacker would first need remote access to the device to carry out this attack. This flaw was given a CVSS v3.1 and a high score of 8.3. 

CVE-2022-2827 – This is a request manipulation flaw that allows an attacker to establish usernames and determine if accounts exist on a device. This flaw was given a CVSS v3.1 and a high score of 7.5. 

The two vulnerabilities, CVE-2022-40259 and CVE-2022-40242 poses serious risks as they give attackers administrative shell access without the need of further escalation. This can lead to data manipulation, data breaches, service interruption and downtime if carried out successfully. CVE-2022-2827 can promote brute-forcing accounts and credential-stuffing. 


To circumvent this issue, users are recommended to follow the steps below: 

  1. Ensure that all remote server management interfaces are on their dedicated networks and not exposed externally. 

  1. Perform regular software and firmware updates on critical servers. 

  1. Disable built-in administrative accounts and/or use remote authentication if needed. 

  1. Regularly monitor all critical firmware in servers for indicators of compromise or unauthorized modifications. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: Vulnerabilities in an American Megatrends firmware.pdf