HomeVulnerabilityIntel and Lenovo BMCs Include Unpatched Lighttpd Server Flaw

Intel and Lenovo BMCs Include Unpatched Lighttpd Server Flaw

A security flaw impacting the Lighttpd net server utilized in baseboard administration controllers (BMCs) has remained unpatched by system distributors like Intel and Lenovo, new findings from Binarly reveal.

Whereas the unique shortcoming was found and patched by the Lighttpd maintainers method again in August 2018 with model 1.4.51, the shortage of a CVE identifier or an advisory meant that it was ignored by builders of AMI MegaRAC BMC, in the end ending up in merchandise made by Intel and Lenovo.

Lighttpd (pronounced “Lighty”) is an open-source high-performance net server software program designed for velocity, security, and suppleness, whereas optimized for high-performance environments with out consuming a number of system sources.

The silent repair for Lighttpd considerations an out-of-bounds learn vulnerability that could possibly be exploited to exfiltrate delicate knowledge, reminiscent of course of reminiscence addresses, thereby permitting risk actors to bypass essential security mechanisms like handle area format randomization (ASLR).

Cybersecurity

“The absence of immediate and necessary details about security fixes prevents correct dealing with of those fixes down each the firmware and software program provide chains,” the firmware security firm mentioned.

See also  Why Pay A Pentester?Sep 18, 2024Penetration Testing / Automation The evolution of software program at all times catches us abruptly. I keep in mind betting in opposition to the IBM pc Deep Blue throughout its chess match in opposition to the grandmaster Garry Kasparov in 1997, solely to be shocked when the machine claimed victory. Quick ahead to at the moment, would we've imagined simply three years in the past {that a} chatbot might write essays, deal with buyer assist calls, and even craft business art work? We proceed to be amazed by what software program can obtain—duties we as soon as thought have been strictly human domains. Such is the shock unfolding within the sphere of cybersecurity testing. Maintain tight! Demystifying Penetration Testing If somebody had instructed me 10 years in the past that pc software program might someday carry out the work of an moral hacker, I might have mentioned 'No approach, Jose'. Penetration testing—PT for brief—is when consultants mimic hackers to check an organization's defenses. It's a crucial observe, mandated by main regulatory our bodies like PCI DSS, HIPAA, and DORA to make sure community security. But, regardless of

The failings are described beneath –

  • Out-of-bounds learn in Lighttpd 1.4.45 utilized in Intel M70KLP sequence firmware
  • Out-of-bounds learn in Lighttpd 1.4.35 utilized in Lenovo BMC firmware
  • Out-of-bounds learn in Lighttpd earlier than 1.4.51

Intel and Lenovo have opted to not handle the problem because the merchandise incorporating the vulnerable model of Lighttpd have hit end-of-life (EoL) standing and are now not eligible for security updates, successfully turning it right into a forever-day bug.

Intel and Lenovo BMCs

The disclosure highlights how the presence of outdated third-party parts within the newest model of firmware can traverse the availability chain and pose unintended security dangers for finish customers.

“That is yet one more vulnerability that can stay unfixed endlessly in some merchandise and can current high-impact danger to the business for a really very long time,” Binarly added.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular