#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter
CrowdSec

BMC Software | Breaking Cybersecurity News | The Hacker News

Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software

Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software
Feb 01, 2023 Server and Cloud Security
Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after  three security vulnerabilities  were brought to light in the same product. Firmware security firm Eclypsium  said  the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. The issues, collectively tracked as  BMC&C , could act as a springboard for cyber attacks, enabling threat actors to obtain remote code execution and unauthorized device access with superuser permissions. The two new flaws in question are as follows - CVE-2022-26872  (CVSS score: 8.3) - ​​Password reset interception via API CVE-2022-40258  (CVSS score: 5.3) - Weak password hashes for Redfish and API Specifically, MegaRAC has been found to use the MD5 hashing algorithm with a global salt for older devices, or  SHA-512 with per user salts  on newer appliances, potentially allowing a threat actor to crack th

New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers
Dec 05, 2022 Server Security / Cloud Technology
Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC  Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers. "The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking)," firmware and hardware security company Eclypsium  said  in a report shared with The Hacker News. BMCs are privileged independent systems within servers that are used to control low-level hardware settings and manage the host operating system, even in scenarios when the machine is powered off. These capabilities make BMCs an enticing target for threat actors looking to plant persistent malware on devices that can survive operating system reinstalls and hard drive replacements. Some of the major server manufacturers that are known to have used MegaRAC BMC include AMD, Ampere Compu

external linkSay Goodbye to SaaS Blind Spots: Wing Security Unveils Free Discovery Tool

SaaS
websitewww.wing.securitySaaS Security / Attack Surface
Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.
Cybersecurity Resources