Dell, then again, has confirmed that its techniques are unaffected by the MegaRAC challenge, because it makes use of its personal Built-in Dell Distant Entry Controller (iDRAC) in its servers.
How might attackers exploit the flaw?
Every week after the patch was posted by AMI in March, Eclypsium, the corporate that found the vulnerability in late 2024, printed extra particulars of its internal workings:
“To our information, the vulnerability solely impacts AMI’s BMC software program stack. Nevertheless, since AMI is on the prime of the BIOS provide chain, the downstream affect impacts over a dozen producers,” wrote Eclypsium researchers.
The flaw, scored on the most severity of 10, is designated a ‘important’ flaw on CVSS. It will permit bypass authentication via the Redfish interface, based on Eclypsium, with a vary of outcomes, together with distant management of the server, deployment of malware/ransomware, and harmful actions equivalent to unstoppable reboot loops and even bricked motherboards.
In brief, it might not be a very good day for victims, though no exploitation of the vulnerability has thus far been detected. However as with every software program vulnerability, what counts is the pace and ease with which it’s patched.
The primary challenge illustrated by the apparently sluggish response to CVE-2024-54085 is the complexity of the patching course of when the software program concerned is a part of a provide chain involving a couple of vendor.
