AMI, a leading provider of BIOS and BMC firmware, has announced security advisories addressing multiple vulnerabilities affecting its products. These vulnerabilities range in severity and could allow attackers to execute arbitrary code, cause denial of service, or bypass authentication remotely.
One of the critical vulnerabilities, tracked as CVE-2024-54084, resides in AMI’s AptioV BIOS firmware. This vulnerability, with a CVSS score of 7.5, could allow an attacker with local access to exploit a race condition, potentially leading to arbitrary code execution.
Another vulnerability, CVE-2024-12546, affects EDK2, an open-source UEFI implementation used in various AMI firmware products. This vulnerability, with a CVSS score of 3.5, could be exploited remotely to cause an integer overflow or wraparound, potentially leading to denial of service.
The most severe vulnerability, CVE-2024-54085, resides in AMI’s SPx Baseboard Management Controller (BMC) software. This vulnerability, with a critical CVSS score of 10, allows a remote attacker to bypass authentication through the Redfish Host Interface. Successful exploitation could lead to a complete compromise of the affected system, including loss of confidentiality, integrity, and availability.
AMI has released updates to address these vulnerabilities. The AptioV and EDK2 vulnerabilities are fixed in version BKC_5.38, while the SPx vulnerability is addressed in versions SPx_12.7+ and SPx_13.5.
Users of AMI firmware and BMC software are strongly encouraged to update their systems to the latest versions to mitigate the risks associated with these vulnerabilities.
