How a small oversight in the supply chain can lead to disaster.
Six years ago, a vulnerability was discovered in the Lighttpd web server used in server board management controllers. It was quickly fixed, but the products of many major hardware manufacturers, including Intel and Lenovo, still contain it, putting end users at risk. But how did this happen in the first place?
To start with, Lighttpd is an open — source web server known for its low weight, speed, and efficiency, making it an ideal choice for high-traffic websites while ensuring minimal system resource consumption.
Researchers from Binarly, a company specializing in security of embedded software solutions, including BIOS and UEFI firmware, were very surprised to find out that the equipment of the above-mentioned manufacturers is still susceptible to this very vulnerability six years ago.
The problem was discovered during recent scheduled scans of Server Board Management controllers (BMCs). Experts have discovered a vulnerability in remote reading of the heap out-of-bounds via the Lighttpd web server, which processes "collapsed" HTTP request headers.
As it turned out, although the vulnerability was fixed back in August 2018, in version Lighthttpd 1.4.51, the developers fixed it automatically, without assigning a tracking ID (CVE). This caused the developers of the MegaRAC BMC AMI controllers to skip the fix and not integrate it into their product. Thus, the vulnerability spread further down the supply chain to system vendors and their customers.
According to the researchers, the security issue can lead to remote reading of data from process memory, which can help attackers bypass security mechanisms such as address space allocation randomization (ASLR).
Binarly reported that the affected products include devices from Intel, Lenovo, and Supermicro. Today, there are more than 2,000 vulnerable devices in the field, and the real number may be even higher.
Security analysts assigned three internal identifiers to the Lighttpd vulnerability, depending on its impact on various vendors and devices:
Both Intel and Lenovo have confirmed that the affected models are no longer supported and are not receiving security updates, making them vulnerable until they are scrapped.
The lack of clarity and transparency from Lighttpd developers in informing about this vulnerability played a key role in the problem. The lack of proper attention to such an important issue led to the fact that manufacturers did not integrate the necessary fixes in time.
Binarly emphasizes that vulnerable BMC devices that have reached the end of the support period will remain vulnerable forever due to the lack of updates, and therefore they need to be replaced with new ones as soon as possible.
This incident highlights the importance of transparency, timely information, and accountability for all participants involved in the security of software and hardware products. This is the only way to avoid risks to the supply chain, so that years later you don't find that it's no longer possible to fix the problem.
Six years ago, a vulnerability was discovered in the Lighttpd web server used in server board management controllers. It was quickly fixed, but the products of many major hardware manufacturers, including Intel and Lenovo, still contain it, putting end users at risk. But how did this happen in the first place?
To start with, Lighttpd is an open — source web server known for its low weight, speed, and efficiency, making it an ideal choice for high-traffic websites while ensuring minimal system resource consumption.
Researchers from Binarly, a company specializing in security of embedded software solutions, including BIOS and UEFI firmware, were very surprised to find out that the equipment of the above-mentioned manufacturers is still susceptible to this very vulnerability six years ago.
The problem was discovered during recent scheduled scans of Server Board Management controllers (BMCs). Experts have discovered a vulnerability in remote reading of the heap out-of-bounds via the Lighttpd web server, which processes "collapsed" HTTP request headers.
As it turned out, although the vulnerability was fixed back in August 2018, in version Lighthttpd 1.4.51, the developers fixed it automatically, without assigning a tracking ID (CVE). This caused the developers of the MegaRAC BMC AMI controllers to skip the fix and not integrate it into their product. Thus, the vulnerability spread further down the supply chain to system vendors and their customers.
According to the researchers, the security issue can lead to remote reading of data from process memory, which can help attackers bypass security mechanisms such as address space allocation randomization (ASLR).
Binarly reported that the affected products include devices from Intel, Lenovo, and Supermicro. Today, there are more than 2,000 vulnerable devices in the field, and the real number may be even higher.
Security analysts assigned three internal identifiers to the Lighttpd vulnerability, depending on its impact on various vendors and devices:
- BRLY-2024-002: A specific vulnerability in Lighttpd version 1.4.45, used in Intel M70KLP series firmware version 01.04.0030 (latest), affecting certain models of Intel servers.
- BRLY-2024-003: Specific vulnerability in Lighttpd version 1.4.35 in Lenovo BMC firmware version 2.88.58 (latest), used in the Lenovo HX3710, HX3710-F and HX2710-E server models.
- BRLY-2024-004: a common vulnerability in Lighttpd web servers versions prior to 1.4.51, which allows you to read confidential data from the server's RAM.
Both Intel and Lenovo have confirmed that the affected models are no longer supported and are not receiving security updates, making them vulnerable until they are scrapped.
The lack of clarity and transparency from Lighttpd developers in informing about this vulnerability played a key role in the problem. The lack of proper attention to such an important issue led to the fact that manufacturers did not integrate the necessary fixes in time.
Binarly emphasizes that vulnerable BMC devices that have reached the end of the support period will remain vulnerable forever due to the lack of updates, and therefore they need to be replaced with new ones as soon as possible.
This incident highlights the importance of transparency, timely information, and accountability for all participants involved in the security of software and hardware products. This is the only way to avoid risks to the supply chain, so that years later you don't find that it's no longer possible to fix the problem.
