New findings from Binarly reveal that equipment vendors such as Intel and Lenovo have still not patched a security vulnerability affecting the Lighttpd web server used in the baseboard management controller (BMC).
While the original flaw was discovered and patched by Lighttpd maintainers back in August 2018 in version 1.4.51, the lack of a CVE identifier or advisory meant it was ignored by the developers of AMI MegaRAC BMC and ended up appearing in the product. Provided by Intel and Lenovo.
Lighttpd (pronounced “Lighty”) is open source, high-performance web server software designed for speed, security, and flexibility, while being optimized for high-performance environments without consuming large amounts of system resources.
Lighttpd’s silent fix involves an out-of-bounds read vulnerability that can be exploited to leak sensitive data such as process memory addresses, allowing threat actors to bypass critical security mechanisms such as Address Space Layout Randomization (ASLR).
“The lack of timely and critical information about security fixes hinders the proper processing of these fixes along the firmware and software supply chain,” the firmware security company said.
The defect description is as follows –
- Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
- Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
- Out-of-bounds read in Lighttpd before 1.4.51
Intel and Lenovo chose not to address the issue because products containing vulnerable versions of Lighttpd have reached end-of-life (EoL) status and are no longer eligible for security updates, effectively turning them into bugs forever.
The disclosure highlights how outdated third-party components in the latest versions of firmware can traverse the supply chain and pose unexpected security risks to end users.
Binarly added: “This is another vulnerability that will never be fixed in some products and will pose a high impact risk to the industry for a long time to come.”
