On Monday researchers at Eclypsium reported 3 vulnerabilities impacting MegaRAC Baseboard Management Controller (BMC), which is used by over a dozen manufacturers for managing server products. The first of the vulnerabilities, CVE-2022-40259, is given a CVSS score of 9.9, and gives an attacker with callback privileges or higher on the device arbitrary code execution capabilities. The second, CVE-2022-40242, is given a CVSS score of 8.3, and specifically concerns the default password for the sysadmin user’s hash, which can be easily found and cracked. The final vulnerability, CVE-2022-2827, is given a CVSS score of 7.5, and enables an attacker to enumerate valid user accounts via password reset request. Both of the higher-severity vulnerabilities effectively grant the attacker root privileges if exploited.
Manufacturers that use MegaRAC BMC:
- Ampere Computing
- Dell EMC
- HP Enterprise
Much of the risk of these vulnerabilities can be mitigated by controlling access to remote management interfaces. Companies should endeavor to never leave these exposed to the internet, and further limit which devices or networks can access these interfaces. User behavior analysis can help identify exploitation of vulnerabilities like these; mass password reset requests and root-level activities that differ from baseline can be reliable indicators of a compromise.