Security News > 2022 > December > New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

Three different security flaws have been disclosed in American Megatrends MegaRAC Baseboard Management Controller software that could lead to remote code execution on vulnerable servers.

"The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage," firmware and hardware security company Eclypsium said in a report shared with The Hacker News.

BMCs are privileged independent systems within servers that are used to control low-level hardware settings and manage the host operating system, even in scenarios when the machine is powered off.

The findings once again underscore the importance of securing the firmware supply chain and ensuring that BMC systems are not directly exposed to the internet.

The findings come as Binarly disclosed multiple high-impact vulnerabilities in AMI-based devices that could result in memory corruption and arbitrary code execution during early boot phases.

Earlier this May, Eclypsium also uncovered what's called a "Pantsdown" BMC flaw impacting Quanta Cloud Technology servers, a successful exploitation of which could grant attackers full control over the devices.

News URL

https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html