April 11, 2024 at 12:52PM
A 6-year-old vulnerability in Lighttpd web server used in Baseboard Management Controllers, overlooked by vendors like Intel and Lenovo, could lead to memory exfiltration, bypassing protection mechanisms. Binarly discovered a heap out-of-bounds read vulnerability and vendors missed the fix, leading to a massive number of vulnerable devices, with impacted models likely remaining vulnerable indefinitely.
Based on the meeting notes, the main takeaways from the discussion are:
1. A long-standing vulnerability in the Lighttpd web server used in Baseboard Management Controllers (BMCs) has been overlooked by multiple device vendors, including Intel and Lenovo.
2. The security issue allows for the exfiltration of process memory addresses, potentially enabling attackers to bypass protection mechanisms such as Address Space Layout Randomization (ASLR).
3. The vulnerability in the Lighttpd web server was addressed in August 2018, but the patch was silently integrated without a tracking ID, causing some developers and vendors, such as AMI MegaRAC BMC, to miss the fix and fail to integrate it into their products.
4. The impacted BMC devices from Intel and Lenovo have reached end-of-life (EOL) and are no longer receiving security updates, leaving them vulnerable indefinitely.
5. There is a significant number of vulnerable BMC devices that have reached EOL, and the lack of patches will leave them susceptible to the vulnerability in the long term due to gaps in the firmware supply chain and a lack of transparency from the Lighttpd maintainers.
These key points highlight the severity of the vulnerability, the implications for impacted device vendors, and the long-term security risks posed by the lack of timely patches and transparency in the firmware supply chain.