AMI MegaRAC BMC Vulnerabilities
On December 5, 2022, three vulnerabilties have been disclosed in the American MegaTrends MegaRAC Baseboard Management Controller (BMC) software. BMC provide out-of-band management for servers and motherboards. The vulnerabilites are rated in severity from High to Critical.
Notice: This document will continue to be updated as additional information becomes available and is subject to change without notice.
CVE ID Vulnerability details
| CVE | Severity Rating | Impact of Vulnerabilities |
|---|---|---|
| CVE-2022-40259 | 9.8 Critical | Arbitrary Code Execution via Redfisf API |
| CVE-2022-40242 | 9.8 Critical | Default credential for UID = 0 shell via SSH |
| CVE-2022-2827 | 7.5 High | User enumeration via API |
Some Atos HPC products are based on the AMI MegaRAC BMC software and affected by these vulnerabilties.
The following table provides the list of Atos HPC products based on AMI MegaRAC BMC software
| Product line | Platforms | Motherboard | Fixed version (*) |
|---|---|---|---|
| BullSequana X400-A5 server family | X410-A5 | MZ12-HD1/MZ42-G20 | BMC 12.60.39 |
| X410-A5 | G262-ZO0 | BMC 12.83.43 | |
| X430-A5 | MZ32-AR0/MZ92-FS0 | BMC 12.60.39 | |
| X440-A5 | MZ12-HD0/MZ62-HD0 | BMC 12.60.39 | |
| X450-A5 | MZ92-FS0 | BMC 12.60.39 | |
| SMC & SMC xScale Servers | MZ32-AR0/MZA2-CE0 | BMC 12.60.39 | |
| BullSequana XH2000 | BullSequana X2410 | CERM | In progress |
| BullSequana X2415 | CRRM/CRRM+ | In progress |
(*) BMC Firmware are available for download when a "Fixed version" is available. Please, navigate on the firmware download section for the respective platforms.
For any further assistance, please contact your Atos HPC support representative or create a support ticket on https://tickets.bull.com
