On September 27th, Trend Micro’s Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account. 
In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings:

• CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
• CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
• CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
• CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
• CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)

What is Exim Mail?

Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.

Are updates available?

Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities,
if you are running Exim mail servers on your network, you should apply the security patch immediately.

How do I find potentially vulnerable Exim mail servers with runZero?

A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.

With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.

product:exim

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

What’s new with runZero 4.0? 

• New runZero Platform and Community Edition
• Build your inventory through passive discovery
• Discover assets the way you want to
• Integrate with Tenable Security Center
• Understand correlations quickly
• Improved new user workflow

New runZero Platform and Community Edition

The new and improved runZero Platform represents the culmination of four years of innovation, so it’s only fitting this is version 4.0 of our technology! Over the last few years, runZero has evolved and matured from an innovative asset inventory and network discovery product to a world-class CAASM (cyber asset attack surface management) solution. We couldn’t have reached this major milestone without our community and our awesome customers, and we thank you for supporting us on this journey.

The new Platform introduces passive discovery functionality, making runZero the only CAASM solution to combine proprietary active scanning, native passive discovery, and API integrations. Unifying all of these approaches makes runZero unique in its ability to deliver comprehensive coverage across managed and unmanaged devices, including the full spectrum of IT, OT, IoT, cloud, mobile, and remote assets.

With the introduction of the runZero Platform, we also have a new Community Edition that will replace Starter Edition effective immediately. Community Edition is a completely free version of the runZero Platform that is perfect for small businesses, individuals, and security researchers who have 100 or fewer assets.

You might be asking, is this just a name change for the free version? It’s not. It’s much better than that! We want all runZero users to benefit from the full power of the runZero Platform and our new Community Edition makes that possible. See the details below.

We hope the new Platform will help you better manage risk and exposure by giving you the most complete visibility possible across all your environments. Let’s dive into the details.

runZero Platform, Community Edition: CAASM for everyone #

The Community Edition is an improved version of the free Starter Edition. It now includes three important discovery approaches: unauthenticated active scanning, API integrations, and passive discovery.

Here’s why this is a significant leap forward:

Complete coverage: With three different discovery methods available, you can achieve a complete view of all your assets across IT, OT, IoT, cloud, mobile, and remote environments. runZero helps you uncover your unknowns and provides visibility across your internal network and external attack surface, consolidating everything into a single view.

Cost-efficiency: The Community Edition remains completely free, ensuring that advanced CAASM capabilities are accessible to organizations of all sizes and budgets.

runZero Platform: Unleash the full power of CAASM #

Our new runZero Platform brings together all of the features you know and love from our legacy Enterprise Edition with new functionality like passive discovery that is designed to provide the most complete security visibility possible. It includes:

Complete feature set: The Platform provides you with every tool in the runZero arsenal, ensuring you can tackle all the CAASM use cases like building a comprehensive asset inventory, eliminating security controls gaps, understanding vulnerabilities and identifying insecure configurations in your attack surfaces.

Unparalleled flexibility: API integrations, active scanning, and passive discovery are seamlessly integrated, offering you unparalleled flexibility to manage exposures of your ever-evolving attack surfaces.

Priority support: Platform customers can unlock premium support, also known as runZero Care, which enjoys priority access to our support team, ensuring you have expert guidance whenever you need it.

Scale to fit your needs: The Platform is perfect for organizations that manage a large number of assets. Whether you have thousands, hundreds of thousands, or even millions of assets to manage, runZero Platform can handle the load.

Current customers will receive further information about migrations.

Build your inventory through passive discovery #

Unlike other CAASM solutions, runZero offers visibility into OT environments, through both safe active scanning and now a passive discovery capability called traffic sampling. Traditional passive network monitoring tools require significant effort to deploy and compute resources to collect and analyze all network traffic. runZero’s passive traffic sampling only examines a small fraction of network traffic for asset discovery and fingerprinting, which customers can leverage with existing Explorers. This feature allows companies who have a policy against active scanning to build an asset inventory by analyzing traffic observed through SPAN ports, TAP interfaces, and broadcast. Passive traffic sampling is also helpful for organizations with scan windows that are too short to enable active discovery of the entire environment. Both active and passive approaches use the same fingerprinting database that was developed using data collected across tens of thousands of environments and OT devices.

We are very excited to introduce this novel approach to passive discovery as a complement to our reinvention of active scanning. We love a good challenge and like to rethink how we can improve on what’s already out there. Unlike traditional passive discovery solutions, runZero’s passive traffic sampling is faster, easier, and more cost-effective to deploy — and doesn’t require expensive dedicated hardware appliances. Our innovative approach to traffic sampling enables runZero Explorers to process existing network traffic as a software deployment on existing hardware or virtual machines.

Learn more about passive traffic sampling

Discover assets the way you want to #

Updates to the runZero interface make it easier than ever to leverage all the flexible discovery capabilities available to you. runZero is the only CAASM solution that provides comprehensive asset inventory coverage for managed and unmanaged devices, including IT, OT, IoT, cloud, mobile, and remote assets. This is only possible by combining three specific data sources: proprietary active scanning, native passive discovery, and API integrations. These combined capabilities give customers ultimate flexibility in a single, unified solution, eliminating the need for multiple siloed tools.

Check out the new start pages for API Integrations, active scanning, and passive discovery.

Integrate with Tenable Security Center

With 4.0, you can now enrich your inventory with an authenticated API connection to Tenable Security Center, similar to existing integrations with Tenable.io and Nessus. This allows you to search for Tenable attributes, and vulnerabilities in runZero, as well as find assets not monitored by Tenable Security Center. runZero automatically correlates Tenable assets to runZero assets based on unique fields. Vulnerability data can be viewed in the asset details, as well as a dedicated inventory tab. Vulnerability attributes include CVSS score, relevant CVEs, vulnerability description, and any recommended remediation actions.

Learn more about the integration or set up an API connection to Tenable Security Center today!

Understand correlations quickly

You asked and we delivered. Now you can quickly see the matching field that runZero used to merge data into existing records. Consolidating asset and exposure information from disparate sources into a single normalized view makes it easier for you to manage your ever-changing environment. As networks grow in complexity, sometimes it is not obvious how the correlation engine merges data from a new source and this important quality-of-life improvement shows what field and value was used, as well as the specific task, and time of the merge.

Take a look at any recently-updated asset with multiple sources to check it out!

Improved new user workflow

New to runZero? You’ll be greeted by an updated onboarding flow that introduces all of runZero’s discovery capabilities and makes it easier than ever to get started.

New users will automatically see the new flow. Existing users can check it out too.

Rapid Responses #

• Finding Fortinet SSL VPN
• How to find MegaRAC BMCs
• How to find Citrix NetScaler
• How to find Ivanti EPMM (MobileIron Core)
• How to find OpenSSL 1.1 instances

Protocol and fingerprint improvements

We continue to add new methods of discovery and to improve fingerprinting. Here’s what’s new in this latest version:

• Support for EtherNet/IP probing and the MODBUS/TCP protocol, improving discovery and fingerprinting for OT networks.
• Support for MQTT, improving discovery and fingerprinting for IoT devices constrained by resources or bandwidth
• Improved fingerprinting of devices using the Mopria Alliance eSCL protocol, such as paper scanners and multifunction printers
• Improved discovery for VoIP endpoints using the Voice Services Discovery Protocol (VSDP)
• Improved fingerprinting for SMBv1 endpoints, assets based on AzureAD, Microsoft Intune, Microsoft 365 Defender, and NFS data, BACnet devices, devices that provide UPnP information, and devices that use Spotify Connect

See runZero 4.0 in action

Release notes

The runZero 4.0 release includes a rollup of all the 3.10.x updates, which includes all of the following features, improvements, and updates.

• Moved to a new versioning scheme for the Console and Explorers, <major>.<minor>.<yymmdd>.<revision>.

New features

• Build your inventory through passive discovery
• Discover assets the way you want to
• Integrate with Tenable Security Center
• Understand correlations quickly
• Improved new user workflow

Integration improvements

• A bug that could cause some long-running connection tasks to restart repeatedly has been resolved.
• A bug that could prevent Intune assets from merging with other sources has been resolved.
• A bug that could prevent Tenable Security Center syncs from completing has been resolved.
• A bug that could result in an incorrect ts attribute for Azure AD, Google Workspace, and Microsoft Intune has been resolved.
• A bug that could result in invalid Shodan credentials still validating has been resolved.
• A bug that prevented some queries from correctly matching Intune assets has been resolved.
• A bug where existing assets were incorrectly fingerprinted after importing data from Microsoft 365 Defender has been resolved.
• A performance regression when processing third-party assets has been resolved.
• A rotation date for stored credentials is now available through both console and API via a new secret_updated_at field.
• CrowdStrike and Azure AD assets will no longer be merged if they have a different globally unique ID. This may lead to more offline assets being generated if devices are frequently reimaged and given new GUIDs.
• Custom Integrations now support the exclude unknown option.
• Error logging for the Shodan integration has been improved.
• Improved handling of API request retries for the Microsoft Intune integration.
• The Tenable integration has been updated to reduce the possibility of asset and vulnerability export timeouts.
• The Tenable integration has been updated to reduce the possibility of vulnerability export timeouts.
• The request timeout has been increased for the Microsoft Intune and Azure AD integrations.

Inventory management improvements

• A bug causing inconsistent navigation for Explorer configuration editing has been resolved.
• A bug causing incorrect assertion of Microsoft Defender for Endpoint in edr.name has been resolved.
• A bug causing pending new tasks to be seen as editable has been resolved, so that only new tasks scheduled to start in the future can be modified.
• A bug causing project expiration to be miscalculated has been resolved.
• A bug causing tasks in the process of stopping to be seen as dismissible has been resolved, so that only failed and completely stopped tasks can be dismissed.
• A bug that could cause foreign service attributes to be attributed to the wrong source has been resolved.
• A bug that could cause tasks to be copied with an incorrect discovery scope has been resolved.
• A bug that could lead to improper stale service removal on rescan has been resolved.
• A bug that could lead to orphaned tasks when an Explorer is removed has been resolved.
• A bug that could prevent import of wireless networks has been resolved.
• A bug that could prevent in-scope, unscanned addresses from being cleared on runZero assets has been resolved.
• A bug that could prevent queries containing mixed-case search terms from returning results has been resolved.
• A bug that could result in an unnecessary screenshot warning for connector tasks has been resolved.
• A bug that could result in duplicate service warnings has been resolved.
• A bug that could result in duplicate software entries for some sources has been resolved.
• A bug that could result in orphaned tasks when removing an explorer has been resolved.
• A bug that enabled SNMP credentials when modifying or copying existing scan tasks has been resolved.
• A bug that prevented SNMPv3 credentials from being saved has been resolved.
• A bug that prevented the scan.explorer_id value from being populated in alert templates has been resolved.
• A bug that prevented the Find assets in this site icon from working properly in some cases has been resolved.
• A bug that resulted in the Nmap XML Export having a zero start time has been resolved.
• An issue that caused the asset details page to load very slowly has been resolved.
• An issue that could result in an empty dashboard until a metrics recalculation was triggered has been resolved.
• An issue that could result in an empty dashboard when selecting a single site has been resolved.
• An update for improved asset matching for tasks importing both scan and third-party data sources has been added.
• An update to the runZero Explorer now logs when the host operating system receives an interrupt or terminate signal, such as when the OS reboots.
• Event rules now support conditions for Explorer and task type, where relevant.
• Exports of task data now include timestamps which differentiate time spent acquiring data from time spent processing data.
• Improved merging of assets with NetBIOS or SMB services.
• Improved performance when deleting large organizations, projects, or sites.
• License-based size limits are now applied to file imports.
• Recurring tasks now stop with an error if they use a task template that has been deleted.
• Task name and description can now be modified for tasks created via file imports.
• Task processing times are improved.
• Tasks in the stopping state are now included in the Processing section of the Tasks overview.
• The maximum number of ownership types has been increased from 10 to 25.
• The tasks CSV export now includes the template_name column.
• The tasks JSON export and API responses now include the site_name, agent_name, and template_name columns.

New vulnerability queries

• Hardware: MegaRAC BMC
• Hardware: Citrix NetScaler

Scan and monitor engine improvements

• A bug that could cause a memory leak in the Explorer between stopped tasks has been resolved.
• A bug that could lead to bogus assets appearing in scans through Fortigate proxies has been resolved.
• A bug that could prevent bogus services from certain firewalls from being completely filtered has been resolved.
• A bug that could prevent some Windows-based Explorers from connecting with the same ID has been resolved.
• A bug that could prevent the Explorer from reading the .env configuration file has been resolved.
• A number of small parsing bugs in the protocol parsing engine have been resolved.
• A bug which could leave SYN and LAYER2 probes in a perpetual error condition loop has been resolved.
• A warning is now recorded for scan tasks if a host is ignored for responding on too many ports.
• An issue that could result in stalled scans has been resolved.
• Improved automatic asset filtering for certain web proxy assets.
• Improved detection of spurious services when scanning certain firewalls.
• Passive traffic sampling tasks now set source:sample instead of source:passive for assets.
• The Explorer now uses the “runZero” brand by default (and matching filesystem/registry locations).
• The TCP SYN scanner is now friendlier to stateful firewalls in the network path.
• The scanner now supports a new syn-reset-sessions option that can be used to reduce session usage in middle boxes.

Self-hosted platform improvements

• The self-hosted console now defaults to PostgreSQL 15 and provides an install option to select a version.
• The self-hosted console now uses the “runZero” brand (and runzeroctl command) by default.

Security and user management improvements #

• A bug causing the user details page to display permissions incorrectly has been resolved.
• A bug in the user permissions display interface has been resolved.
• A bug preventing some users from being able to manage their user’s group membership has been resolved.
• A bug that could cause scan templates to be hidden when configured with invalid permissions has been resolved.
• A bug that could prevent new SSO users from authenticating has been resolved.
• A bug that could result in the wrong hostname being used in password reset links has been resolved.
• A bug where users logging in for the first time with SSO would not have access to any organizations from the SSO group mappings has been resolved.
• A security improvement has been added to clear password reset tokens after a password change or when link-based authentication is requested.
• An issue that could result in login errors for invited users using Single Sign-On has been resolved.

API improvements

• The api/v1.0/org/sites/{site_id}/import route now returns the proper 400 http status code error when the request body is empty instead of a status code 500.

UI/UX improvements

• A bug causing app banners to not be visible has been resolved.
• A bug causing the datepicker to close when navigating by year has been resolved.
• A bug preventing columns from retaining their custom ordering has been resolved.
• A bug that prevented display of the user permissions table in the User Details screen has been resolved.
• A bug that prevented download commands from being displayed on the redesigned scanner page has been resolved.
• On-screen text explaining the interaction between a user’s default organization role and the granted per-org role is clearer.
• The Explorer and scanner download pages have been redesigned for improved UX and performance.
• The Integrate page now shows active and suggested integrations for the current organization.
• The asset details screen now has pagination when viewing an asset with more than 30 services.

IT and security teams rely on an array of cybersecurity tools to manage their network assets. However, these tools often fall short of providing a comprehensive and detailed asset inventory. Consequently, as an organization’s attack surface evolves, the risk of undiscovered or unmanaged assets increases, heightening the potential for network infiltration. 

The 2023 State of Cyber Assets Report uncovered a remarkable 133% year-over-year growth in cyber assets for organizations, surging from an average of 165,000 in 2022 to 393,419 in 2023. This rapid increase in assets resulted in a staggering 589% rise in security vulnerabilities or unresolved findings, accentuating the snowball effect caused by more than doubling the number of assets.

As organizations incorporate an ever-growing number of devices, their attack surface inevitably expands. Thus, gaining a comprehensive understanding of the status of each connected asset becomes crucial.

Each article linked below highlights the limitations of various types of cybersecurity tools for asset management, contrasting them with runZero—an all-encompassing cyber asset management solution that surpasses them all by comparison.

Inefficient cyber asset management tools

1. Endpoint Detection and Response (EDR) agents
   

   EDR works well for endpoint protection but not asset inventory. When incident responders find assets that are compromised but can’t find them in the asset inventory, many teams realize that they went down the wrong path.

2. Spreadsheets
   

   Microsoft Excel and Google Sheets can be an easy first step to track asset data for an IT environment, but they fail entirely as an efficient cyber asset management solution. Spreadsheets require manual data collection resulting in inconsistent attributes, outdated information, lack of detail and incomplete inventory.

3. Vulnerability scanners
   

   Some try to build an asset inventory using vulnerability scanners. Beyond a lack of detail, vulnerability scanners sometimes simply get it wrong; crashing devices, providing a backward-looking view, finding phantom assets, among other concerns. Leading vulnerability scanners simply do not provide a full, accurate, current asset inventory in everyday practice.

4. Configuration Management Database (CMBD)
   

   CMDBs are designed to track data relating to managed IT assets, such as routers, switches, or servers. However, according to Gartner, only 25% of organizations achieve meaningful value with their CMDBs. Beyond incompleteness, data inaccuracy is also a major concern. If you are relying on your CMDB to be a source of truth, you need to be able to trust the information in it. The data in a CMDB will only be as good as its sources.

5. Network Access Control (NAC)
   

   IT and security teams often depend on data from NAC’s and associated network aggregation tools for asset inventory. However, they are designed to control access to the network, an entirely different task from building a comprehensive inventory of devices on the network. If a compromised asset cannot be found in the inventory, it indicates that NACs are suboptimal for asset discovery; a fundamental component of cyber asset management.

6. Free network scannersMost free network scanners don’t scale easily out of the box, often requiring custom databases and scripts to make them suitable for continuous monitoring and collecting inventory from multiple segments or sites.

Why effective cyber asset management matters

In the ever-changing digital landscape of an organization, prioritizing cyber asset management is essential for ensuring the resilience and continuity of operations, as well as safeguarding the reputation and trust of the organization, its stakeholders and the data with which it governs.

It’s foundational to cybersecurity 

You simply need to know about the assets on your network before you can manage them. Before effective asset management can take place, it is crucial to have a comprehensive understanding of the assets on your network. By accurately identifying, tracking, and protecting critical assets, organizations can proactively defend against cyber threats, minimize vulnerabilities, and ensure the confidentiality, integrity, and availability of sensitive information.

Preparation is key 

IBM’s Cost of a Data Breach Report 2023 shares that the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.

By integrating a comprehensive asset inventory into business continuity planning, organizations can effectively identify and prioritize the protection of vital assets crucial for maintaining operations during disasters or disruptions. This proactive strategy enhances the organization’s resilience during times of crisis.

It’s required by regulations and insurance

Various industries, including healthcare, energy, financial services, and government, are all subject to specific regulatory or insurance requirements related to asset management and data protection. A comprehensive asset inventory helps organizations ensure compliance. It enables them to demonstrate their efforts in safeguarding sensitive information and critical infrastructure, thereby avoiding legal penalties and reputational damage.

Take the SolarWinds supply chain attack in 2020, for example. This sophisticated attack involved hackers compromising the software supply chain of SolarWinds, a prominent IT management software provider. The attackers injected malicious code into SolarWinds’ Orion platform updates, which were then distributed to thousands of the company’s customers, major corporations, the Department of Defense, the Department of State, and the Department of Homeland Security to name just a few.

Not only did SolarWinds report upwards of $3.5 million in expenses related to incident investigation and remediation, they were subject to numerous lawsuits, domestic and foreign. Including an investigation into the possible breach of the European Union’s General Data Protection Regulation and other data protection and privacy regulations.

It’s the bedrock of business operations

On the financial aspect, maintaining an asset inventory empowers organizations to monitor their IT investments and infrastructure effectively. Comprehensive knowledge of all assets enables teams to make informed decisions regarding upgrades or replacements for outdated assets, prioritize patching and updates, and avoid unnecessary expenses on redundant or non-essential devices.

Presidio, a global digital services and solutions found immediate success with runZero, using it to onboard clients to their managed service programs. With runZero, they were able to eliminate spreadsheets, thereby reducing the amount of time spent manually collecting client data. Instead, they can focus on delivering outcomes for their clients.

runZero: a complete cyber asset management solution

runZero is a cyber asset management solution that includes CAASM functionality. It combines integrations with EDR and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.

runZero scales up to millions of devices, and it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices.

The OT (Operational Technology) sector faces significant challenges when it comes to network scanning. OT systems frequently utilize proprietary protocols that may not be compatible with legacy scanners. Consequently, this incompatibility significantly hinders the effective scanning and information gathering from OT devices. As a result, the asset inventory obtained is often incomplete or inaccurate, posing a major security risk.

Fortunately, runZero avoids aggressive scan tactics, which could destabilize certain IT and OT devices. With runZero, organizations of all types can safely create comprehensive and detailed asset inventories without any disruptions.

How does runZero safely scan OT environments?

runZero employs an innovative incremental fingerprinting approach specifically designed to identify and handle fragile devices effectively. When a fragile device is detected, the method is automatically adjusted to ensure safe scanning. Unlike other scanners that may utilize security probes, runZero’s proprietary scan technology solely utilizes well-formed IP packets. This approach eliminates the risk of disrupting critical operations or causing downtime.

Thanks to its unique and reliable method, runZero has garnered a large and satisfied customer base in various industries including manufacturing, energy, and healthcare. These customers confidently conduct regular scans in their OT environments without encountering any issues.

For a more in-depth understanding of runZero’s approach to OT environments, we invite you to listen to the two podcasts below, featuring runZero founders HD Moore and Chris Kirsch, respectively.

runZero’s approach to scanning ‘fragile devices’ – HD Moore and Dale Peterson on Unsolicited Response podcast

In this episode HD Moore and Dale Peterson spend the first third of the show talking about Metasploit; early reaction, OT modules, and whether Metasploit is still necessary and useful today.

The conversation then shifts to creating asset inventories in IT and OT environments, a core feature of runZero.

Below is a summary of the main talking points in this podcast:

• Why HD decided to run back into the cybersecurity startup world?
• How it started as a solo shop with HD writing all the code.
• How HD thinks Shodan and runZero are different.
• What technique runZero uses to ‘scan’. A term that many fear in OT.
• The OT reaction to this type of scanning.
• What role uses the runZero product?

runZero adds passive scanning for OT networks – Chris Kirsch on the Risky Business podcast

In this Risky Business News sponsor interview Tom Uren talks to Chris Kirsch about how runZero has evolved from an IT network active scanning product to one that can now discover assets on OT and cloud environments using both active and passive scanning approaches.

Play runZero OT minesweeper and win a prize!

There is still time left to play runZero’s OT Minesweeper!

The top three players will win one of the following prizes:

runZero is safe for OT environments, but legacy scanners are not!

In this game, you are a legacy scanner with 30 seconds (and ten total attempts) to recon the network without getting noticed in the fastest time. Just don’t crash any OT devices!

Play OT Minesweeper!

• Promotion ends: August 11th 2023 at 11:59 pm CST
• Winners will be announced at DEF CON 2023

This week, Eclypsium Research published findings on critical vulnerabilities discovered in AMI MegaRAC baseboard management controller (BMC) firmware. Adding to the portfolio of “BMC&C” vulnerabilities that Eclypsium has been discovering and surfacing since late 2022, these two new vulnerabilities (tracked as CVE-2023-34329 and CVE-2023-34330) can be exploited and chained together to yield unauthenticated remote code execution on vulnerable targets. These vulnerabilities could impact many devices, as MegaRAC BMCs are popular across a number of manufacturers and appear in products from AMD, Asus, Dell EMC, Gigabyte, HPE, Lenovo, Nvidia, and more.  

What is an A MI MegaRAC BMC? 

MegaRAC baseboard management controllers (BMCs) provide “lights out” management capabilities for remotely monitoring and managing servers. Manufactured by American Megatrends International (AMI), MegaRAC BMCs include a service processor and network connection that operate separately from the server they are connected to. Modern MegaRAC BMC firmware includes support for the Redfish API.

What is the impact? 

These two newly disclosed vulnerabilities involve the Redfish service running on the MegaRAC:

• Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329; CVSS score 9.1 – “critical”)
• Code injection via Dynamic Redfish Extension (CVE-2023-34330; CVSS score 8.2 – “high”)

CVE-2023-34329 can be exploited with specially crafted HTTP headers to trick the Redfish service into believing the request is coming from an interface that does not require authentication, such as USB0. On systems which have the No Auth option enabled, these spoofed headers will allow attackers to access and interact with any Redfish API endpoints.

CVE-2023-34330 can be exploited via an HTTP POST action to execute arbitrary code on the MegaRAC processor. While this code-execution-via-POST was an intentional design choice by AMI, it likely was intended for internal development only. However, it is enabled by default in vulnerable versions of the firmware, making it available to a broader audience.

Chaining exploitation of the two above vulnerabilities together can provide attackers with unauthenticated remote code execution and full control over a vulnerable MegaRAC target. Following successful exploitation, attackers can establish persistence, perform data exfiltration, perform lateral movement in the network, deploy malware, and more. Attackers can also perform a denial of service by forcing the server into a reboot loop or even bricking the system so it will no longer properly function.

Are updates available? 

AMI has made patched firmware available in versions SPx_12.4 and SPx_13.2. Admins should update MegaRAC BMCs to the newer firmware as soon as possible.

Eclypsium Research also shared mitigations to help reduce the chance of a successful attack, including:

• Ensuring all remote server management network interfaces are NOT exposed externally and operate on networks dedicated to management traffic only.
• Ensuring access to remote server management network interfaces is restricted to administrative users via ACLs or firewalls per Zero Trust Architecture principles.

Additionally, U.S. government agencies and contractors legally required to comply with CISA’s Binding Operational Directive 23-02 should note required guidance to follow (similar to the aforementioned mitigation steps).

How do I find potentially vulnerable MegaRAC BMCs with runZero? 

From the Asset inventory, use the following prebuilt query to locate MegaRAC BMC instances in your network:

hw:megarac

Results from the above query should be triaged to verify if those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.