As the clock ticked, suppliers slowly patched key flaws in Ami Megarac BMC firmware

Dell, on the other hand, confirmed that its system is not affected by Megarac issues, because it uses its own integrated Dell Remote Access Controller (IDRAC) in its servers.

How do attackers exploit flaws?

The patch was released a week after AMI in March, and the company discovered the vulnerability in the second half of 2024, releasing more details about its internal operations:

“To our knowledge, vulnerabilities only affect AMI’s BMC software stack. However, because AMI is at the top of the BIOS supply chain, downstream impacts affect more than a dozen manufacturers,” Eclypsium researchers wrote.

This defect is designated as a “critical” defect on CVSS to a maximum severity of 10. According to eclypium, it will allow bypass authentication via the Redfish interface and has a range of results, including remote control of the server, deployment of malware/ransomware, and destructive actions such as unstoppable reboot loops, and even brick beds.

In short, it was not a good day for the victims, although no exploitation of the vulnerability has been found so far. But as with any software vulnerability, it is the speed and ease of patching it.

When the software involved is part of a supply chain involving multiple vendors, the first problem that is clearly slow to respond to CVE-2024-54085 to CVE-2024-54085 is the complexity of the patching process.