Critical AMI BMC Vulnerability: Patch Your ASUS Workstation Now

Veteran PC users are likely familiar with encountering messages from American Megatrends International (AMI) during system startup. AMI stands as a leading provider of BIOS and UEFI firmware solutions, with its controller software embedded in numerous PCs and servers.

Recently, AMI issued a security advisory disclosing a critical vulnerability in its MegaRAC Baseboard Management Controller (BMC) software. Tracked as CVE-2024-54085 and assigned the maximum CVSS score of 10.0, this flaw underscores the severe risk it poses to affected systems.

According to the advisory, CVE-2024-54085 is remotely exploitable, potentially enabling attackers to install malware, tamper with firmware, or even induce overvoltage conditions that cause irreversible physical damage to the motherboard. Several motherboard manufacturers using AMI firmware are now releasing patches to address the vulnerability.

ASUS has rolled out firmware updates to mitigate the issue for the following workstation motherboards:

• PRO WS W790E-SAGE SE – v1.1.57: Download here
• PRO WS W680M-ACE SE – v1.1.21: Download here
• PRO WS WRX90E-SAGE SE – v2.1.28: Download here
• Pro WS WRX80E-SAGE SE WIFI – v1.34.0: Download here

If your PC or server is equipped with one of the affected ASUS boards, you are strongly encouraged to manually apply the firmware update. To upgrade: download the BMC firmware in .ima format, navigate to the web interface > Maintenance > Firmware Update, select the .ima file, and begin the update. AMI recommends enabling the “Full Flash” option to ensure a comprehensive firmware refresh.

All listed firmware updates are current. For security reasons, OEM vendors often release firmware silently before publicly disclosing the associated vulnerability, thereby reducing the risk of exploitation via reverse engineering before most users have applied the patch.

The aforementioned boards are high-performance workstation motherboards. It remains unclear whether ASUS or other manufacturers have deployed AMI software in mainstream consumer-grade motherboards. Users are advised to monitor their motherboard vendors’ websites for update announcements.

Related Posts:

• CVE-2024-54085: AMI SPx Vulnerability Scores Critical CVSS 10
• Supermicro Motherboards Vulnerable to Critical RCE Flaw (CVE-2024-36435)
• Backdoor was found in Gigabyte motherboards
• Oracle decided to extend Free Support Lifetime of Java 8
• CVE-2024-36877 in MSI Motherboards Opens Door to Code Execution Attacks, PoC Published