ASUS releases fix for AMI bug that lets hackers brick servers

ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock. The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting. "A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish)," explained Eclypsium in a related report. "Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / brick ... Read full article.