Critical AMI MegaRAC bug can let attackers hijack, brick servers

​A new critical severity vulnerability found in American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers. MegaRAC BMC provides "lights-out" and "out-of-band" remote system management capabilities that help admins troubleshoot servers as if they were physically in front of the devices. The firmware is used by over a dozen server vendors that provide equipment to many cloud service and data center providers, including HPE, Asus, ASRock, and others. Remote unauthenticated attackers can exploit this maximum severity security flaw (tracked as CVE-2024-54085) in low-complexity attacks that don't require user interaction. "A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish)," Eclypsium explained in a Tuesday report. "Exploitation of this vulnerability allows an attacker to remote ... Read full article.