About vulnerability
The vulnerability resides within the Lighttpd web server, a lightweight and efficient open-source server commonly used for high-traffic websites. Researchers at the Binary firmware security firm stumbled upon this flaw, which had remained unnoticed for years. The flaw lies in the handling of “folded” HTTP request headers, leading to a heap out-of-bounds (OOB) read vulnerability.
The Culprit: Lighttpd Web Server
The Lighthttpd developers stealthily patched the issue in version 1.4.51 without issuing a tracking ID (CVE), even though it was resolved in August 2018.
Because of this, the AMI MegaRAC BMC developers overlooked the change and neglected to incorporate it into the final version. As a result, system vendors and their clients were affected further down the supply chain by the vulnerability.
The Impact
BMCs are microcontrollers that are integrated into server-grade motherboards, such as those found in cloud and data center systems, and allow for firmware updates, remote management, restarting, and monitoring of the device.
Binary discovered that AMI neglected to implement the Lighttpd patch from 2019 until 2023, which resulted in the deployment of numerous devices that were susceptible to the remotely exploitable flaw throughout this time.
The vulnerability allows attackers to exfiltrate process memory addresses, a critical piece of information. Armed with this data, malicious actors can bypass security mechanisms like Address Space Layout Randomization (ASLR). In essence, the flaw undermines the very protection mechanisms designed to prevent unauthorized access.
Supply Chain Fallout
The story takes an unexpected twist as we trace the flaw’s journey through the supply chain. The maintainers of Lighttpd patched the vulnerability silently in August 2018 (version 1.4.51), without assigning a tracking ID (CVE). Unfortunately, this stealthy fix allowed the flaw to persist in the wild.
The Vendors and Their Devices
Several vendors unwittingly shipped devices with this vulnerability, including Intel, Lenovo, and Supermicro. Let’s explore the impact of each:
Intel
The vulnerability affects the M70KLP series firmware (latest version).
Internal identifier: BRLY-2024-002.
Approximately 2000+ Intel server models remain vulnerable.
Lenovo
Lenovo’s BMC firmware (latest version) harbors the same flaw.
Impacted server models: HX3710, HX3710-F, and HX2710-E.
Internal identifier: BRLY-2024-003.
Supermicro
While not explicitly mentioned, Supermicro devices are likely affected due to their reliance on Lighttpd. The flaw underscores the need for thorough security assessments across the board.
The Hackable Hardware
The oversight in communication between vendors, maintainers, and end-users has resulted in the shipment of hackable hardware. These devices unwittingly expose sensitive information, jeopardizing the security of data centers, cloud services, and critical infrastructure.
The Urgent Call to Action
As the flaw’s existence becomes public knowledge, vendors must act swiftly:
Patch and Update: Vendors should release patches addressing the vulnerability promptly.
Security Audits: Rigorous security audits are essential to identify and rectify hidden flaws.
Transparency: Clear communication channels between maintainers, vendors, and end-users are crucial.