Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw

Apr 15, 2024NewsroomFirmware Security / Vulnerabilities

Intel and Lenovo BMCs

A security flaw affecting the Lighttpd web server used by baseboard management controllers (BMCs) remains unpatched by device vendors such as Intel and Lenovo, new findings from Binarly reveal.

While the original deficiency is discovered and treated by Lighttpd maintainers back in August 2018 with version 1.4.51the lack of a CVE identifier or an advisory means that it was overlooked by the developers of the AMI MegaRAC BMC, which eventually ended up in products made by Intel and Lenovo.

Lighttpd (pronounced “Lighty”) is an open-source high-performance web server software designed for speed, security, and flexibility, while being optimized for high-performance environments without wasting and more system resources.

The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that can be exploited to exfiltrate sensitive data, such as process memory addresses, thus allowing threat actors to bypassing key security mechanisms such as address space layout randomization (ASLR).

Cybersecurity

“The absence of quick and important information about security fixes prevents the proper management of these fixes in both the firmware and software supply chains,” the firmware security company. SAYS.

The errors are described below –

  • Reads out-of-bounds in Lighttpd 1.4.45 used by Intel M70KLP series firmware
  • Reads out-of-bounds in Lighttpd 1.4.35 used in Lenovo BMC firmware
  • Reads out-of-bounds in Lighttpd before 1.4.51

Intel and Lenovo have chosen not to address the issue because products that include the quick version of Lighttpd have hit end-of-life (EoL) status and are no longer eligible for security updates, which effectively do this is an eternal day bug.

Intel and Lenovo BMCs

The disclosure highlights how the presence of outdated third-party components in the latest firmware version can cross the supply chain and pose unintended security risks for end users.

“This is another vulnerability that will remain unpatched forever in some products and will present a risk that will have a high impact on the industry for a long time,” Binarly added.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment