BMC flaw left unchecked for 6 years hits Intel and Lenovo servers
The lack of communication that happened six years ago resulted in thousands of devices being vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability – today. Among the vulnerable devices are Intel and Lenovo servers.
Here is what happened: Six years ago, the maintainers of Lighttpd discovered the above-mentioned flaw, which could allow threat actors to exfiltrate process memory addresses. That, in turn, could have been used to work around protection mechanisms.
The security team patched the flaw in August 2018, in version 1.4.51, but they didn’t assign a CVE. Lighttpd is an open-source web server optimized for speed-critical environments.
Thousands of vulnerable devices
As the CVE wasn’t assigned, the developers of AMI MegaRAC Baseboard Management Controllers (BMC) missed the update and did not integrate it into their product, BleepingComputer reports. BMCs are microcontrollers found on motherboards built for servers, data centers, cloud environments, and similar. They are designed for remote management, rebooting, monitoring, and firmware.
Consequently, the vulnerability was passed down the supply chain to system vendors and their customers.
Six years later, during a BMC scan, security researchers Binarly stumbled upon the vulnerability. The company says that multiple products, including some from Intel, Lenovo, and Supermicro, are all vulnerable.
“Based on our data, nearly 2000+ devices are impacted in the field. In reality, this number is even bigger,” the researchers told BleepingComputer.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Depending on the vendors and the devices, the vulnerability was given three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.
While Binarly claims that some of the vulnerable systems were released as recently as late February last year, both Intel and Lenovo said the impacted models reached end-of-life and as such aren’t recommended for use anyway. They will never receive further patches to address the problem, and will remain vulnerable until they are replaced with newer, supported systems.
More from TechRadar Pro
The lack of communication that happened six years ago resulted in thousands of devices being vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability – today. Among the vulnerable devices are Intel and Lenovo servers. Here is what happened: Six years ago, the maintainers of Lighttpd discovered the above-mentioned…
Recent Posts
- Amazon’s Fallout has been renewed for season 2
- Quordle today – hints and answers for Friday, April 19 (game #816)
- NYT Strands today — hints, answers and spangram for Friday, April 19 (game #47)
- The Meta Quest 2 gets a permanent price cut to $199
- Galaxy users claim they’re running into infamous green line problem after update
Archives
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011