April 15, 2024 at 01:03PM
A security flaw in the Lighttpd web server used in BMCs, unpatched by Intel and Lenovo, poses a risk of exfiltrating sensitive data. The absence of prompt security information prevents proper handling of the fixes down firmware and software supply chains. Out-of-bounds read vulnerabilities in susceptible versions of Lighttpd remain unaddressed due to end-of-life status.
From the meeting notes, it is evident that a security flaw has been identified in the Lighttpd web server, impacting baseboard management controllers (BMCs) used by device vendors like Intel and Lenovo. The flaw was originally patched by Lighttpd’s maintainers in August 2018 with version 1.4.51, but the lack of a CVE identifier or an advisory led to it being overlooked by developers, ultimately ending up in products made by Intel and Lenovo.
The out-of-bounds read vulnerability within Lighttpd could be exploited to exfiltrate sensitive data, allowing threat actors to bypass crucial security mechanisms. Despite the seriousness of the issue, Intel and Lenovo have chosen not to address it due to the affected products reaching end-of-life status and no longer being eligible for security updates.
The disclosure emphasizes the unintended security risks that outdated third-party components in firmware can pose for end users. Binarly, the firmware security company, highlighted the high-impact risk presented by vulnerabilities remaining unfixed in some products for a long time.
This information underlines the importance of prompt and transparent communication about security fixes to ensure proper handling down both the firmware and software supply chains.
Do you have any specific actions you would like to take based on this information?