A security flaw impacting the Lighttpd web server utilized in baseboard administration controllers (BMCs) has remained unpatched by product distributors like Intel and Lenovo, new conclusions from Binarly expose.
Though the authentic shortcoming was found out and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the absence of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, eventually ending up in products and solutions built by Intel and Lenovo.
Lighttpd (pronounced “Lighty”) is an open-supply higher-functionality web server program made for velocity, security, and overall flexibility, though optimized for high-overall performance environments without having consuming a large amount of procedure assets.
The silent deal with for Lighttpd worries an out-of-bounds browse vulnerability that could be exploited to exfiltrate delicate information, such as approach memory addresses, thus permitting menace actors to bypass important security mechanisms like tackle area structure randomization (ASLR).
“The absence of prompt and crucial information about security fixes stops good handling of these fixes down both of those the firmware and software offer chains,” the firmware security company mentioned.
The flaws are explained under –
- Out-of-bounds examine in Lighttpd 1.4.45 applied in Intel M70KLP sequence firmware
- Out-of-bounds read through in Lighttpd 1.4.35 made use of in Lenovo BMC firmware
- Out-of-bounds browse in Lighttpd in advance of 1.4.51
Intel and Lenovo have opted not to tackle the issue as the items incorporating the susceptible edition of Lighttpd have hit finish-of-lifetime (EoL) status and are no more time eligible for security updates, successfully turning it into a without end-working day bug.
The disclosure highlights how the existence of outdated third-get together components in the latest model of firmware can traverse the supply chain and pose unintended security pitfalls for close customers.
“This is yet a further vulnerability that will continue to be unfixed without end in some goods and will existing high-affect risk to the business for a really extended time,” Binarly additional.
Identified this write-up intriguing? Abide by us on Twitter and LinkedIn to read through much more unique written content we publish.
Some parts of this article are sourced from:
thehackernews.com