Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw

Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw

Technology

Apr 15, 2024NewsroomFirmware Security / Vulnerability

Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw

A security flaw impacting the Lighttpd web server used in baseboard management controllers (BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal.

While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo.

Lighttpd (pronounced “Lighty”) is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources.

The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout randomization (ASLR).

Cybersecurity

“The absence of prompt and important information about security fixes prevents proper handling of these fixes down both the firmware and software supply chains,” the firmware security company said.

The flaws are described below –

  • Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
  • Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
  • Out-of-bounds read in Lighttpd before 1.4.51

Intel and Lenovo have opted not to address the issue as the products incorporating the susceptible version of Lighttpd have hit end-of-life (EoL) status and are no longer eligible for security updates, effectively turning it into a forever-day bug.

Intel and Lenovo BMCs

The disclosure highlights how the presence of outdated third-party components in the latest version of firmware can traverse the supply chain and pose unintended security risks for end users.

“This is yet another vulnerability that will remain unfixed forever in some products and will present high-impact risk to the industry for a very long time,” Binarly added.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Read original source here.

Products You May Like

Articles You May Like

Meta went all in on AI in 2024. The pressure builds in 2025
Inside Crown Northampton Sneakers and Boots: A 116-Year Family Legacy in Every Stitch
A look back at U.S. airlines’ wild 2024, from door plugs to bankruptcy
‘Wicked’ Digital Release Interview: Director Jon M. Chu
Trump And Mike Johnson Agree To Apparently Cut Americans’ Healthcare To Pay For Tax Cuts For The Rich