Intel, Lenovo Devices Vulnerable: Unpatched Servers Exposed

Six years ago, a vulnerability was discovered in the Lighttpd web server, which is used in server board management controllers. It was promptly rectified; however, products from many major manufacturers, including Intel and Lenovo, still contain it, exposing end users to risk. But how did this happen?

Lighttpd, an open-source web server renowned for its light weight, speed, and efficiency, makes it an ideal choice for high-traffic websites, ensuring minimal consumption of system resources.

Researchers at Binarly, specializing in the security of embedded software solutions, including BIOS and UEFI firmware, were surprised to find that hardware from the aforementioned manufacturers remains susceptible to this six-year-old vulnerability.

The issue was discovered during recent routine scans of server board management controllers (BMC). Experts identified an out-of-bounds remote heap read vulnerability through the Lighttpd web server, which processed “folded” HTTP request headers.

Although the vulnerability was resolved in August 2018 in Lighttpd version 1.4.51, the developers patched it automatically without assigning a tracking identifier (CVE). This led to the developers at AMI MegaRAC BMC overlooking the fix and failing to integrate it into their product. Consequently, the vulnerability spread further along the supply chain to system providers and their customers.

Researchers note that the security flaw could lead to remote data reading from process memory, potentially allowing attackers to circumvent protection mechanisms such as Address Space Layout Randomization (ASLR).

Binarly reports that the vulnerable products include devices from Intel, Lenovo, and Supermicro. Currently, more than 2,000 vulnerable devices are operational in the field, though the actual number could be higher.

Security analysts have assigned three internal identifiers to the Lighttpd vulnerability, depending on its impact on various vendors and devices:

  • BRLY-2024-002: A specific vulnerability in Lighttpd version 1.4.45 used in Intel M70KLP series firmware version 01.04.0030 (latest), affecting certain Intel server models.
  • BRLY-2024-003: A specific vulnerability in Lighttpd version 1.4.35 in Lenovo BMC firmware version 2.88.58 (latest), used in Lenovo server models HX3710, HX3710-F, and HX2710-E.
  • BRLY-2024-004: A general vulnerability in Lighttpd versions up to 1.4.51, allowing sensitive data to be read from server memory.

Both Intel and Lenovo have confirmed that the affected models are no longer supported and do not receive security updates, leaving them vulnerable until decommissioned.

The lack of clarity and transparency from Lighttpd developers in informing about this vulnerability played a key role in the emergence of the problem. A lack of due attention to such a crucial issue led to manufacturers not integrating the necessary fixes in time.

Binarly emphasizes that BMC devices that have reached the end of support will remain permanently vulnerable due to the absence of updates, necessitating their prompt replacement with new ones.

This incident underscores the importance of transparency, timeliness of information, and responsibility of all parties involved in the process of securing software and hardware products. Only then can the risk to the supply chain be mitigated, preventing years later discoveries that it is no longer possible to fix the problem.