A major security vulnerability in the Lighttpd web server used in Baseboard Management Controllers (BMCs) has gone unnoticed for almost six years, affecting devices from vendors such as Intel and Lenovo. The vulnerability could allow attackers to exfiltrate process memory addresses, potentially bypassing important protection mechanisms like Address Space Layout Randomization (ASLR).
Recently, researchers at the Binarly firmware security firm discovered a remotely exploitable heap out-of-bounds (OOB) read vulnerability in the Lighttpd web server that stems from the processing of “folded” HTTP request headers. Despite the vulnerability being addressed in August 2018, the developers of AMI MegaRAC BMC failed to implement the fix in their product, allowing the vulnerability to persist and impact system vendors and customers down the supply chain.
BMCs are essential components embedded on server-grade motherboards, enabling remote management and monitoring capabilities for devices used in data centers and cloud environments. Binarly found that multiple products from Intel, Lenovo, and Supermicro were impacted by the vulnerability, with a reported 2000+ devices in the field affected.
The threat analysts at Binarly assigned internal identifiers to the vulnerability to track its impact on different vendors and devices. They notified Intel and Lenovo of the issue in their devices, with both vendors confirming that the affected models had reached end-of-life (EOL) and would not receive security updates, leaving them vulnerable until decommissioned.
A lack of patches for a “massive number” of vulnerable BMC devices that have reached EOL means they will remain vulnerable indefinitely. Binarly’s report on the vulnerability highlights the risks introduced by gaps in the firmware supply chain and emphasizes the importance of timely integration of necessary security fixes by vendors.
Lenovo issued a statement in response to the report, indicating that they are working with their supplier to assess any potential impacts on Lenovo products, particularly ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) that do not use MegaRAC and are not affected.
