Posted 4/11/2024, 4:50:21 PM
Old Lighttpd Bug in BMCs Leaves Thousands of Servers Exposed
- Almost 6-year-old vulnerability in Lighttpd web server used in BMCs overlooked by Intel, Lenovo, and other vendors
- Allows remote heap out-of-bounds read, exposing sensitive data like memory addresses
- Patch released silently in 2018 led to it being missed by AMI and trickling down supply chain
- Impacts Intel and Lenovo servers, with ~2000+ vulnerable devices estimated by Binarly
- Many impacted models now EOL and will remain vulnerable, highlighting firmware supply chain gaps