BMC flaw unchecked for six years affects Intel and Lenovo servers
The lack of communication that occurred six years ago resulted in thousands of devices today being vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability. Vulnerable devices include Intel and Lenovo servers.
Here’s what happened: Six years ago, Lighttpd administrators discovered the aforementioned flaw, which allowed threat actors to exfiltrate the memory addresses of processes. That in turn could have been used to circumvent protection mechanisms.
The security team fixed the bug in August 2018 in version 1.4.51, but they did not assign a CVE. Lighttpd is an open-source web server optimized for speed-critical environments.
Thousands of vulnerable devices
Because the CVE was not allocated, the developers of AMI MegaRAC Baseboard Management Controllers (BMC) missed the update and did not integrate it into their product. BleepingComputer reports. BMCs are microcontrollers found on motherboards built for servers, data centers, cloud environments and the like. They are designed for remote management, restart, monitoring and firmware.
As a result, the vulnerability in the supply chain was passed on to system suppliers and their customers.
Six years later, security researchers Binarly discovered the vulnerability during a BMC scan. The company says multiple products, including some from Intel, Lenovo and Supermicro, are all vulnerable.
“Based on our data, almost 2,000 devices in the field were affected. In reality, this number is even higher,” the researchers told BleepingComputer.
Depending on the vendors and devices, the vulnerability was assigned three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.
Although Binarly claims that some of the vulnerable systems were only released in late February last year, both Intel and Lenovo say that the affected models have reached end of life and are therefore not recommended for use anyway. They will never receive patches to address the problem again, and will remain vulnerable until they are replaced by newer, supported systems.