Full Report
A critical security vulnerability has been disclosed in AMI's MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions. The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity. "A local or remote attacker can exploit the vulnerability by accessing the
Analysis Summary
# Vulnerability: Critical AMI MegaRAC BMC Authentication Bypass Leading to Remote Takeover and Bricking
## CVE Details
- CVE ID: CVE-2024-54085
- CVSS Score: 10.0 (Critical - using CVSS v4 score mentioned)
- CWE: Information not specified in the text, but related to Authentication Bypass.
## Affected Systems
- Products: AMI MegaRAC Baseboard Management Controller (BMC) software, affecting downstream devices built with this stack.
- Versions: Not explicitly listed, but subsequent to previous vulnerabilities patched in December 2022 onwards.
- Configurations: Affects systems accessing vulnerable Redfish remote management interfaces or internal host BMC interfaces.
- Confirmed Affected Devices: HPE Cray XD670, Asus RS720A-E11-RS24U, ASRockRack.
## Vulnerability Description
A critical vulnerability exists in the AMI MegaRAC BMC software stack that allows an attacker to bypass authentication through accessing the Redfish remote management interface or the internal host interface to the BMC. Successful exploitation grants an attacker full remote control over the compromised server. This allows for severe post-exploitation actions, including malware deployment, firmware tampering (BMC or potentially BIOS/UEFI), causing indefinite reboot loops, and potentially physical damage to server components via over-voltage conditions ("bricking"). The vulnerability is noted to be similar in mechanism to CVE-2023-34329 (Authentication Bypass via HTTP Header Spoofing).
## Exploitation
- Status: No evidence of exploitation in the wild reported, but a Proof of Concept (PoC) implicitly exists or is assumed given the direct impact description.
- Complexity: Implied to be Medium/Low, as it relates to authentication bypass via network interfaces.
- Attack Vector: Network (Remote) or Adjacent (via internal host access).
## Impact
- Confidentiality: High (Full server control implies access to all data).
- Integrity: High (Ability to deploy malware, tamper with firmware).
- Availability: Critical (Ability to cause indefinite reboot loops or brick the system).
## Remediation
### Patches
- AMI released security patches on March 11, 2025.
- Downstream users must wait for OEM vendors (e.g., HPE, Asus, ASRockRack) to incorporate and release their certified updates based on AMI advisory **AMI-SA-2025003**.
### Workarounds
- No specific immediate workarounds were detailed, but the advisory suggests that patching itself is non-trivial and requires device downtime. Limiting external or untrusted access to Redfish interfaces should be a priority until patching is complete.
## Detection
- Detection focuses on monitoring unusual activity across Redfish or internal BMC management interfaces.
- Indicators generally relate to unauthorized configuration changes, unexpected system reboots, or firmware modifications originating from management channels.
## References
- Vendor Advisory: AMI-SA-2025003 (Link provided in article as go dot ami dot com slash hubfs slash Security Advisory slash 2025 slash AMI-SA-2025003 dot pdf)
- Research Source: Eclypsium report (Link provided in article as eclypsium dot com slash blog slash ami-megarac-vulnerabilities-bmc-part-3 slash)
- General News Link: https://thehackernews dot com/2025/03/new-critical-ami-bmc-vulnerability html