A security flaw impacting the Lighttpd web server used in baseboard management controllers (
BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal.
While the original shortcoming was
discovered and patched by the Lighttpd maintainers way back in August 2018 with
version 1.4.51, the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo.
Lighttpd (pronounced "Lighty") is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources.
The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout randomization (
ASLR).
"The absence of prompt and important information about security fixes prevents proper handling of these fixes down both the firmware and software supply chains," the firmware security company
said.
