Summary

Security Advisory ID: BSA-2022-2147

Component: BMC Software

Revision: 1.0

 Brocade PSIRT has become aware of several vulnerabilities discovered by Eclypsium Research affecting AMI MegaRAC Baseboard Management Controller (BMC) software.

More information at: https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/

The vulnerabilities discovered are addressed by the following CVEs:

• CVE-2022-40259 Arbitrary Code Execution via Redfish API

AMI MegaRAC Redfish Arbitrary Code Execution

CVSS Score: 9.8 CRITICAL - Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• CVE-2022-40242 Default credentials for UID = 0 shell via SSH

MegaRAC Default Credentials Vulnerability

CVSS Score: 9.8 CRITICAL - Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• CVE-2022-2827 User enumeration via API

AMI MegaRAC User Enumeration Vulnerability

CVSS Score: 7.5 HIGH - Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Products Confirmed Not Affected.

No Brocade Fibre Channel Products from Broadcom is known to be affected by these vulnerabilities.

Note

Brocade SANnav products are not vulnerable to these vulnerabilities. However, since the environment that runs the products is not under Brocade's Control, Brocade recommends that customers apply the vendors' recommendations.

Revision History