Hackers can use the Lighttpd vulnerability to target BMCs
Intel and Lenovo won't provide any fixes
2 min. read
Updated on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
Lighttpd is a popular open-source web server. Multiple manufacturers use it for their tools and products because it is flexible, fast, efficient, and compliant. Additionally, it holds well in high-performance environments. Unfortunately, Lighttpd has an unsolved vulnerability that affects over 2000 devices made by Intel, Lenovo, Supermicro, and American Megatrends International (AMI).
In addition, the Lighttpd vulnerability affects baseboard management controllers (BMCs) from Duluth, Georgia-based AMI, or Taiwan-based AETN.
What are the BMCs for?
The problem could become serious because BMCs are responsible for allowing cloud centers and their customers to manage servers remotely. Also, they work even if you turn off your system. Thus, threat actors could remotely invade them using the Lighttpd vulnerability to access and control them anytime.
Lighttpd developers fixed the problem in 2018 without specifying it exclusively in the patch. On top of that, they didn’t assign a CVE to it. Thus, manufacturers continued using the outdated version of the open-source web server.
Hackers can exploit the Lighttpd vulnerability and access the read memory of a server. From there, they can bypass security systems such as ASLR (Address space layout randomization).
Intel and Levenovo will not release a patch to fix the issue. In addition, they claim that they no longer support the hardware that is possibly vulnerable to it. However, the other versions are going to remain at risk forever. For example, Supermico is still relying on Lighttpd. So, consider contacting the manufacturer for a possible fix.
Fortunately, the Lighttpd vulnerability alone is not severe because cybercriminals need a working exploit to use it. On top of that, you need to enable the BMCs only when you need them. Afterward, you should carefully lock them because they allow the control of servers with HTTP requests.
Ultimately, you can manage the Lighttpd vulnerability with some extra care. After all, if you use Intel or Lenovo hardware, there won’t be a fix. Also, you can find the vulnerability in systems using Lighttpd versions 1.4.35, 1.4.45, and 1.4.51. However, you shouldn’t worry much about it because the issue persisted for six years, and nobody did anything about it.
What are your thoughts? Should Intel and Lenovo do something about the issue? Let us know in the comments.
User forum
0 messages