Introduction:
An overlooked vulnerability in the Lighttpd web server, used in Baseboard Management Controllers (BMCs), has resurfaced, posing significant security risks to servers manufactured by industry leaders Intel and Lenovo. Despite being addressed in August 2018, the flaw went unnoticed by device vendors, highlighting critical gaps in supply chain security within the firmware ecosystem.
Background:
Baseboard Management Controllers (BMCs) are microcontrollers embedded on server-grade motherboards, facilitating remote management, monitoring, and firmware updates. The Lighttpd web server vulnerability, discovered by researchers at Binarly firmware security firm during recent BMC scans, arises from a heap out-of-bounds (OOB) read flaw in HTTP request header processing. This flaw, if exploited, could enable attackers to extract process memory addresses, potentially bypassing security mechanisms like Address Space Layout Randomization (ASLR).
Supply Chain Implications:
AMI, the developer of MegaRAC BMC firmware, failed to integrate the Lighttpd patch into its product from 2019 to 2023. Consequently, a large number of Intel and Lenovo servers were deployed with vulnerable BMC firmware. Binarly’s analysis reveals that nearly 2000 devices are affected, including models released as recently as February 22, 2023.
Vendor Response:
Upon notification by Binarly, both Intel and Lenovo acknowledged the vulnerability but stated that the impacted models had reached end-of-life (EOL) and would not receive security updates. This leaves a substantial portion of BMC devices perpetually vulnerable, underscoring the challenges of patch management and supply chain security in the firmware ecosystem.
Addressing the Issue:
Binarly’s report emphasizes the critical need for increased transparency and collaboration among firmware maintainers, device vendors, and end-users. Timely integration of security patches and proactive measures to ensure the security of legacy devices, even after EOL, are essential. Furthermore, robust patch management practices and collaboration across the supply chain are crucial to mitigating such risks effectively and safeguarding critical infrastructure from exploitation.
Conclusion:
The rediscovery of this longstanding vulnerability underscores the complexity and challenges inherent in managing supply chain security in the firmware ecosystem. As organizations increasingly rely on interconnected systems, proactive measures, robust patch management practices, and collaboration across the supply chain are essential to mitigate such risks effectively and safeguard critical infrastructure from exploitation. This incident serves as a wake-up call for the industry to prioritize firmware security and implement proactive measures to address vulnerabilities in a timely manner, thereby enhancing overall supply chain resilience and security posture.
Leave a Reply