A substantial security vulnerability has been discovered in Baseboard Management Controllers (BMCs), exposing a nearly six-year-old flaw in the commonly used Lighttpd web server. This vulnerability presents significant risks to more than 2000 devices deployed by prominent vendors like Intel, Lenovo and Supermicro.
The vulnerability had not been assigned a CVE, and thus, it remained unresolved due to the outdated firmware components in devices such as the AMI MegaRAC BMC.
The impact of this oversight has been substantial, with Binarly’s Transparency Platform identifying over 2000 vulnerable devices from Intel, Lenovo, and Supermicro.
Researchers from Binarly discovered three such vulnerabilities:
- BRLY-2024-002: A Heap Out-of-bounds Read vulnerability in the web server component of Intel BMC.
- BRLY-2024-003: A Heap Out-of-bounds Read vulnerability in the web server component of Lenovo BMC.
- BRLY-2024-004: A Heap Out-of-bounds Read vulnerability in the Lighttpd web server.
Despite being identified with the in-house BRLY-2024-002 identifier and reported to Intel’s PSIRT, the researchers were met with responses citing end-of-life status for affected products, highlighting the industry’s ongoing security gaps.
If exploited, this vulnerability could allow attackers to exfiltrate sensitive data, including process memory addresses, potentially bypassing critical security mechanisms like Address Space Layout Randomisation (ASLR).
Despite Lighttpd maintainers addressing the vulnerability in version 1.4.51 in 2018, the lack of a tracking ID (CVE) and a silent patching approach led to its unnoticed integration into BMC firmware, particularly in devices utilising AMI MegaRAC BMCs.
This discovery mirrors broader issues within the firmware supply chain, where outdated third-party components persist in the latest versions, posing substantial risks to end users. Notably, the Lighttpd vulnerability affects Intel M70KLP BMC firmware and Lenovo BMC firmware for HX3710, HX3710-F, and HX2710-E servers, identified with BRLY-2024-003 identifiers.
Even with affected devices, Lenovo’s response was almost similar to that of Intel. Lenovo also acknowledges the vulnerability but cites an end-of-life status for affected products as grounds for no support or patching.
The absence of clear security advisories and CVE identifiers for such fixes exacerbates the challenge, hindering the proper handling of critical security updates across the supply chain. Researchers have urged improved collaboration between software maintainers, device vendors, and end users to mitigate security risks effectively.
Companies usually have a negative attitude towards patching flaws in outdated equipment. Recently, researchers discovered that about 92,000 D-Link devices were affected by several vulnerabilities. However, D-Link refused to provide updates claiming that the devices in question have already reached their end-of-life service.
If users still employ such devices, switching to a new device would be better. Firms’ refusal to patch vulnerabilities can affect privacy and important data, so it is better to deploy the measures now.
In the News: Threat actors exploiting Facebook Pixel tracker for credit card theft