A discovery by Binarly has revealed that a security flaw affecting the Lighttpd web server used in baseboard management controllers (BMCs) has not been patched by device vendors like Intel and Lenovo.
Although the original issue was identified and fixed by Lighttpd maintainers in August 2018 with version 1.4.51, the lack of a CVE identifier or advisory led to its oversight by developers of AMI MegaRAC BMC, resulting in its inclusion in products from Intel and Lenovo.
Lighttpd, known as “Lighty,” is open-source server software optimized for speed, security, and flexibility in high-performance environments.
The fix for Lighttpd addresses an out-of-bounds read vulnerability that could potentially expose sensitive data and bypass security mechanisms like ASLR.
Firmware security company Binarly stated, “The absence of timely security fix information hinders the proper handling of these fixes in firmware and software supply chains.”
The vulnerabilities include out-of-bounds reads in various versions of Lighttpd used in Intel and Lenovo products, with no resolution due to end-of-life status, making them forever-day bugs.
This disclosure underscores the risks posed by outdated components in firmware that can impact end users through the supply chain.
Binarly emphasized, “This vulnerability will persist in some products without a fix, posing high-impact risks to the industry for an extended period.”
