Security News > 2022 > December > Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others
Three vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller software impact server equipment used in many cloud service and data center providers.
The flaws were discovered by Eclypsium in August 2022 and could enable attackers, under certain conditions, to execute code, bypass authentication, and perform user enumeration.
The researchers discovered the flaws after examining leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware.
MegaRAC BMC is a solution for complete "Out-of-band" and "Lights-out" remote system management, allowing admins to troubleshoot servers remotely as if standing in front of the device.
The first two flaws are very severe due to giving attackers access to an administrative shell without requiring further escalation.
"Standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems."