Intel and Lenovo Servers Affected by Unpatched BMC Security Flaw

• Intel and Lenovo’s Lighttpd web servers that are used in baseboard management controllers (BMCs) have a security vulnerability that has been unpatched for years.
• Developers have been overlooking the flaw owing to the lack of an advisory or CVE identifier.

A security vulnerability affecting the Lighttpd web server used for baseboard management controllers (BMCs) has reportedly remained unpatched in Lenovo and Intel servers since 2018 despite a fix being available. The patch has apparently not been applied owing to the lack of an advisory or CVE identifier related to the flaw, which was overlooked by AMI MegaRAC BMC developers and has resulted in the flaw being present in Intel and Lenovo products.

The bug is an out-of-bounds read vulnerability bad actors can use to extract sensitive data and circumvent security elements such as address space layout randomization. Such problems frequently affect software that uses open-source elements. Consequently, not all updates are utilized without the issuance of security advisories. The threat is even more prominent in terms of firmware owing to the lower frequency of updates, sometimes even for years.

See More: Palo Alto Zero-Day Flaw Exploited Through Python Backdoor

Baseboard management controllers are used on server-grade motherboards and are commonly found in cloud and data center environments. They allow monitoring, rebooting, remote management, and firmware updates on devices, making them key components for server setups. Both Lenovo and Intel, however, have now chosen not to fix the vulnerability as the impacted products have reached end-of-life status, making them ineligible for security updates. This means that the bug is expected to be active for as long as the devices are being used.

The incident highlights the need for prompt publication of information about security vulnerabilities and their fixes and the importance of paying attention to patches in software and firmware supply chains. The bug also brings attention to the risks that arise from the use of outmoded third-party elements.

What best practices can tech OEMs follow to improve hardware security? Share your thoughts on LinkedInOpens a new window , XOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Image source: Shutterstock

LATEST NEWS STORIES

• Meta Launches New Custom Artificial Intelligence Chip
• Apple Warns iPhone Users About Mercenary Spyware Attacks
• April Patch Tuesday: Microsoft Releases Fixes for Two Actively Exploited Flaws
• Google Stops Use of California News Website Links Over Pending Changes in Legislation