Persistent Security Gap: Unpatched Lighttpd Flaw in Intel and Lenovo BMCs Raises Concerns
Charles M. Walls | April 16, 2024 | Views: 119
An undisclosed vulnerability in the Lighttpd web server, used in baseboard management controllers (BMCs), has yet to be resolved by manufacturers such as Intel and Lenovo, according to recent insights from Binarly.
Although Lighttpd's developers fixed the bug in August 2018 with the release of version 1.4.51, the omission of a CVE identifier and corresponding advisory meant it went unnoticed by AMI MegaRAC BMC developers. This oversight led to the flaw being present in products from both Intel and Lenovo.
Lighttpd, also known as "Lighty", is a high-performance, open-source web server software engineered for speed, security, and flexibility. It is specifically designed to deliver optimal performance while minimizing system resource usage.
The vulnerability in question involves an out-of-bounds read issue that could potentially allow unauthorized access to sensitive data, including process memory addresses. This could enable attackers to circumvent critical security defenses such as address space layout randomization (ASLR).
Binarly pointed out that the lack of immediate and clear information on security patches can hinder proper management of these updates across both firmware and software supply chains.
The vulnerabilities detailed are as follows:
- Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
- Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
- Out-of-bounds read in Lighttpd versions prior to 1.4.51
Both Intel and Lenovo have decided not to patch these issues, stating that the products containing these versions of Lighttpd have reached their end-of-life (EoL) and are no longer supported with security updates. This situation results in what's known as a forever-day bug.
The case exemplifies the risks associated with using outdated third-party components in firmware, which can introduce security vulnerabilities to the supply chain, thereby compromising end-user safety.
Binarly has expressed concern that this persistent vulnerability will pose a long-term, high-impact risk to the industry, underscoring the need for vigilance and updated practices in managing third-party software components.
