A long-standing vulnerability in the Lighttpd web server, utilized in Baseboard Management Controllers (BMC), has gone unnoticed by major device vendors like Intel and Lenovo for nearly six years. This oversight exposes BMCs to potential memory exfiltration, posing a significant security risk to these systems. Despite Lighttpd’s reputation for being lightweight and efficient, its unnoticed flaw underscores systemic shortcomings in firmware supply chains, leading to vulnerabilities that persist over extended periods.
The vulnerability, initially addressed in August 2018, was silently patched by Lighttpd maintainers in version 1.4.51 without a tracking ID (CVE), causing it to be missed by developers of AMI MegaRAC BMC and subsequently by system vendors and their customers. As a result, a large number of devices have remained vulnerable to this remotely exploitable bug, creating a widespread security concern throughout the affected supply chain.
Binarly, a firmware security firm, discovered the vulnerability during recent scans of BMCs, noting that impacted devices include those from prominent vendors such as Intel and Lenovo. Despite being informed of the issue, both vendors indicated that affected models had reached end-of-life (EOL) status and would not receive security updates, leaving them vulnerable indefinitely.
The lack of transparency and delayed awareness about the vulnerability from Lighttpd maintainers further exacerbates the problem, as vendors struggle to integrate necessary fixes in a timely manner. This case highlights the need for improved communication and collaboration within firmware supply chains to address vulnerabilities promptly and mitigate potential security risks to BMCs and other affected systems.
