CVE-2023-25191
📋 TL;DR
AMI MegaRAC SPX devices allow password disclosure through Redfish interfaces, enabling attackers to retrieve credentials. This affects organizations using vulnerable AMI MegaRAC SPX devices with Redfish enabled. The vulnerability allows unauthorized access to sensitive authentication information.
💻 Affected Systems
- AMI MegaRAC SPX devices
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through credential theft leading to administrative access, data exfiltration, and potential ransomware deployment.
Likely Case
Unauthorized access to management interfaces, privilege escalation, and lateral movement within the infrastructure.
If Mitigated
Limited impact if strong network segmentation and access controls prevent Redfish interface exposure.
🎯 Exploit Status
Exploitation requires access to Redfish interface but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SPx_12-update-7.00 or SPx_13-update-5.00
Vendor Advisory: https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023002.pdf
Restart Required: Yes
Instructions:
1. Download firmware update from AMI support portal. 2. Apply update through BMC management interface. 3. Reboot the system to activate new firmware.
🔧 Temporary Workarounds
Disable Redfish Interface
allTemporarily disable Redfish interface to prevent exploitation
ipmitool raw 0x30 0x70 0x0c 0x00 0x00
Restrict Network Access
linuxImplement firewall rules to restrict access to Redfish ports (typically 443, 623)
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BMC/Redfish interfaces
- Enable multi-factor authentication and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Test Redfish interface for password disclosure by accessing /redfish/v1/AccountService/Accounts endpoint without authenticationCheck Version:
ipmitool mc info | grep 'Firmware Revision'Verify Fix Applied:
Verify firmware version is SPx_12-update-7.00 or higher (for SPx_12) or SPx_13-update-5.00 or higher (for SPx_13)📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Redfish endpoints
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- Unusual traffic to Redfish ports from untrusted sources
- Credential harvesting patterns in network traffic
SIEM Query:
source="BMC_logs" AND (uri="/redfish/v1/AccountService/Accounts" OR event="authentication_failure")