I Baseboard Management Controllers (BMC) are components found on many motherboards commonly used in server systems, networking devices, and other computing equipment. The BMC performs several crucial functions for managing and monitoring the system, even remotely. The news is that a group of researchers has discovered a serious vulnerability security issue affecting the Lighttpd Web server used by many controllers widely used in data centers and enterprises.
Vulnerability shakes some Intel, Lenovo and Supermicro servers: it has been present for 6 years
Lighttpd is an open source web server known for being light, fast and efficient, ideal for high traffic applications, thanks also to the fact that it consumes very limited system resources.
During recent scans performed on the controller BMCresearchers from Binarly they discovered a vulnerability heap out-of-bounds (OOB) exploitable remotely through the Lighttpd server.
A vulnerability of sorts heap out-of-bounds (OOB) occurs when a program interacts with the data contained in the memoria heap outside the allowed limits, that is, when it tries to access a portion of memory that has not been allocated for its use.
In the case at hand, the security gap can lead to unauthorized reading of information contained in memory, even overcoming defense mechanisms such as ASLR (Address Space Layout Randomization).
The developers of Lighttpd addressed and corrected the security gap in August 2018 but the intervention occurred silently with the release of the 1.4.51 release of the web server, without the assignment of a identifier (CVE).
Image source: Binarly.
Once again the supply chain shows its weaknesses
The behavior of those responsible for the Lighttpd project influenced the developers of the controller AMI MegaRAC BMC – integrated into many Intel, Lenovo and Supermicro brand servers – not to detect the fix, therefore not integrating it into the product. The vulnerability has thus reverberated along the entire supply chain (supply chain) up to system suppliers and their customers.
The analysts of Binarly have assigned three identification codes to Lighttpd’s security gaps which, 6 years later, continue to impact the servers of various brands: BRLY-2024-002, BRLY-2024-003 e BRLY-2024-004.
Meanwhile, both Intel and Lenovo said that the affected servers have already reached the end of their lives life cycle. It is therefore very likely that the vulnerabilities remain unresolved and that the manufacturers do not release corrective patches.
According to the experts of Binarlythere would be a “massive number” of vulnerable, publicly available BMC devices in circulation that have reached the end of their life but will remain vulnerable forever due to lack of patches.
Embedded in motherboards, BMCs that enable remote management, rebooting, monitoring and firmware updates on individual devices in data centers and cloud environments.