A vulnerability had been discovered in the devices of several prominent manufacturers within the Lighttpd open-web server component. Lighttpd is recognized for its ‘secure, fast, standards compliant, and flexible web server optimized for high-performance environments.’
These features make it a popular choice for incorporating into various projects and tools, and it had been previously used to power sites such as Youtube and Wikipedia. This vulnerability existing for at least six-years within Lighttpd, affects over 2000 devices deployed by vendors such as American Megatrends International (AMI), Intel, Lenovo, and Supermicro.
Researchers caution that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. BMCs are built into servers to allow cloud centers as well as their clients to remotely manage servers.
They enable administrative actions such as OS management, installation of apps, and control over different aspects of servers even while they are powered off. Over the years, BMCs from multiple manufacturers have incorporated vulnerable versions of lighttpd.
Lighttpd Bug Had Been Identified but Not Disclosed as Vulnerability
The vulnerability had been discovered and patched in 1.4.51 of the software, described as fixing ‘various use-after-free scenarios’ while being marked as consisting of ‘security fixes’ in the change logs.
The MITRE corporation describes this category of bugs as that ‘can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw’.
Researchers from Binarly who discovered the flaw’s existence on Lenovo and Intel sold devices, noted that the update did not describe the issue as a “vulnerability” or include a CVE vulnerability number. Such action they claim might have affected ‘proper handling of these fixes down both the firmware and software supply chains’.
While the bug is of moderate severity on its own, it could be chained with other vulnerabilities to access the read memory of a lighttpd Web Server process and exfiltrate sensitive data and potentially bypass memory-protection techniques such as ASLR (Address space layout randomization).
The ASLR memory protection is implemented in software to protect against buffer overflow or out-of-bounds memory attacks.
Vendors Plan Not to Release Lighttpd Bug Fix As They No Longer Support Hardware
The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. Both Intel and Lenovo have reportedly stated that they had no plans to release fixes as they no longer support the hardware where these flaws may perist. Supermicro, has however stated support for versions of its hardware still relying on lighttpd.
A Lenovo spokesman reportedly stated to ArsTechnica that ‘Lenovo is aware of the AMI MegaRAC concern identified by Binarly. We are working with our supplier to identify any potential impacts to Lenovo products. ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) do not use MegaRAC and are not affected.’
It’s worth mentioning explicitly, however, that the severity of the lighttpd bug is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability. In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet.
Chip giant Intel previously issued an advisory in 2018 warning customers about over 13 security bugs discovered in its version of the baseboard management controller (BMC) firmware for Intel Server products while conducting internal evaluation. The reported flaws included including one critical flaw that could be exploited to leak sensitive data or allow attackers to escalate privileges.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
