Binarly’s recent discoveries shed light on an unresolved security vulnerability affecting the Lighttpd web server utilized in baseboard management controllers (BMCs), with major device vendors like Intel and Lenovo failing to address the issue.
Although the initial flaw was identified and remedied by Lighttpd maintainers in August 2018 through version 1.4.51, the absence of a CVE identifier or advisory led to oversight by developers of AMI MegaRAC BMC, ultimately permeating into products manufactured by Intel and Lenovo.
Lighttpd, often referred to as “Lighty,” stands as an open-source, high-performance web server software engineered for speed, security, and flexibility, meticulously optimized for resource-efficient operation in high-performance environments.
The discreet resolution of the Lighttpd issue revolves around an out-of-bounds read vulnerability, offering a pathway for the exfiltration of sensitive data, such as process memory addresses. This loophole empowers threat actors to circumvent critical security mechanisms like address space layout randomization (ASLR).
“The lack of timely and pertinent security fix information impedes the proper dissemination of these remedies across both firmware and software supply chains,” noted the firmware security company.
Outlined below are the vulnerabilities:
- Out-of-bounds read in Lighttpd 1.4.45 utilized in Intel M70KLP series firmware
- Out-of-bounds read in Lighttpd 1.4.35 utilized in Lenovo BMC firmware
- Out-of-bounds read in Lighttpd prior to version 1.4.51
Intel and Lenovo have chosen not to address the issue, citing the end-of-life (EoL) status of products incorporating the susceptible version of Lighttpd, rendering them ineligible for security updates and effectively classifying the flaw as a “forever-day” bug.
This disclosure underscores how outdated third-party components persisting in the latest firmware versions can propagate through the supply chain, inadvertently posing security hazards to end users.
“This represents yet another vulnerability destined to linger indefinitely in certain products, presenting a substantial and enduring risk to the industry,” emphasized Binarly.
