A long-standing vulnerability in the Lighttpd web server used within Baseboard Management Controllers (BMC) has gone unnoticed by numerous device vendors, including Intel and Lenovo, potentially exposing these servers to security risks.
The security flaw, dating back to nearly six years ago, allows for the exfiltration of process memory addresses, which could facilitate attacks bypassing security mechanisms like Address Space Layout Randomization (ASLR).
Lighttpd, renowned for its lightweight and efficient performance, is favoured for high-traffic websites due to its minimal resource consumption. Researchers from Binarly, a firmware security firm, recently discovered a remotely exploitable heap out-of-bounds (OOB) read vulnerability in Lighttpd's handling of "folded" HTTP request headers during scans of BMCs.
Although the vulnerability was addressed in August 2018 with a silent patch in Lighttpd version 1.4.51 (without a CVE ID), the fix was missed by developers of the AMI MegaRAC BMC firmware, leading to its absence in subsequent product integrations and deployments.
Binarly found that AMI did not apply the Lighttpd fix from 2019 until 2023, resulting in a significant number of vulnerable devices deployed over these years.
According to Binarly, multiple products from Intel, Lenovo, and Supermicro are impacted, with potentially over 2000 affected devices in the field.
The security firm assigned internal identifiers (BRLY-2024-002, BRLY-2024-003, BRLY-2024-004) to specify the impact of the Lighttpd vulnerability on different vendor devices and server models.
Despite notifications from Binarly, both Intel and Lenovo acknowledged that impacted models had reached end-of-life (EOL) and were no longer receiving security updates, leaving them vulnerable indefinitely.
Binarly's report underscores the challenges of managing firmware supply chain security and highlights the need for improved transparency and awareness to address vulnerabilities effectively within the industry.
The technical details provided by Binarly in their report could potentially aid attackers in developing exploits, emphasizing the critical need for prompt and comprehensive patch management across firmware and device ecosystems.
