External risk intelligence

AMI MegaRAC SPx Remote Authentication Bypass Advisory

CVE advisoryKnown Exploit

CVE-2024-54085

A vulnerability in AMI's SPx allows remote attackers to bypass authentication on server management interfaces, potentially leading to data loss or system compromise. Organizations using affected systems should prioritize applying vendor updates and restricting network access to the management interface. The risk to bus

2Halo Surface Signal

Ami Megarac Sp X

12 to before 12.713 to before 13.5

External exposure likelihood

Halo Surface Signal score for CVE-2024-54085

The vulnerability affects Baseboard Management Controllers (BMCs) using the Redfish API. BMCs are specialized hardware management interfaces intended to be isolated within secure management networks. While network-reachable in some deployments, public internet exposure of a BMC is considered a misconfiguration or a breach of standard security architecture rather than a normal deployment pattern.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

AMI's MegaRAC SPx management software, used in various server environments, contains a vulnerability that could allow unauthorized access. This flaw can be exploited remotely, potentially impacting the confidentiality, integrity, and availability of affected systems and data. The vulnerability is present in the Redfish Host Interface component of the Baseboard Management Controller (BMC).

  • Vulnerable management interface
  • Remote authentication bypass
  • System compromise and data loss

Attack Path

How an attacker could exploit the issue

This vulnerability allows attackers to bypass authentication on a server's Baseboard Management Controller (BMC) through its Redfish Host Interface. Successful exploitation could result in unauthorized access, leading to potential loss of data confidentiality, integrity, and availability for affected organizations. The attack requires the BMC's Redfish interface to be exposed externally.

  • External network exposure of BMC Redfish interface.
  • Attacker remotely accesses the interface.
  • Bypasses authentication, gains control.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability allows attackers to bypass authentication on server management interfaces, granting them extensive control over affected systems. Attackers could remotely control servers, deploy malware, tamper with firmware, or even cause physical damage to hardware. The widespread use of this firmware in various server models means a significant number of organizations could be impacted. Given that this vulnerability is actively being exploited and has been added to CISA's Known Exploited Vulnerabilities catalog, it should be treated with the highest urgency.

  • Likely attacker skill level: Any skill level.
  • Required access or conditions: Remote network access.
  • Business risk or urgency: Critical and immediate.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

AMI's SPx software contains a critical vulnerability that allows remote attackers to bypass authentication through the Redfish Host Interface. Successful exploitation of this vulnerability could result in unauthorized access leading to loss of confidentiality, integrity, and availability of affected systems. Organizations should prioritize addressing this vulnerability to mitigate potential business risks.

  • Identify all systems running affected AMI SPx versions.
  • Restrict network access to the Redfish Host Interface.
  • Apply vendor-provided updates and validate system remediation.
  • Monitor for unusual system activity.

Frequently asked questions

What is AMI's MegaRAC SPx and what is it used for?

AMI's MegaRAC SPx is a Baseboard Management Controller (BMC) firmware solution. It's used for comprehensive out-of-band management of servers, accelerators, and storage systems, allowing for remote control and monitoring independently of the main operating system.

What kind of vulnerability is CVE-2024-54085 and how does it affect systems?

CVE-2024-54085 is an 'Authentication Bypass by Spoofing' vulnerability (CWE-290). It allows remote attackers to bypass authentication on the BMC's Redfish Host Interface, potentially leading to unauthorized access and loss of data confidentiality, integrity, and availability.

What conditions are needed for an attacker to exploit this vulnerability?

An attacker needs to be able to remotely access the BMC's Redfish Host Interface. The vulnerability is triggered by manipulating specific HTTP headers to trick the BMC into believing the request originates from a trusted source, thereby bypassing authentication.

Who needs to be concerned about this vulnerability based on its exposure?

Organizations with systems where the BMC's Redfish interface is exposed externally should be concerned. While BMCs are typically intended for isolated management networks, any external exposure increases the risk.

What is the first step to address this threat if I'm running this technology?

The first step is to identify all systems running affected AMI MegaRAC SPx versions and apply vendor-provided firmware updates. It is also recommended to restrict network access to the Redfish Host Interface.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified