Security firm Binarly has confirmed that this oversight has led to Intel, Lenovo, and Supermicro distributing server hardware with a vulnerability that could be exploited to disclose critical security information. The researchers have warned that hardware incorporating sure generations of baseboard management controllers (BMCs) made by AMI of Duluth, Georgia, and Taiwan's AETN could be affected.
BMCs are microcomputers integrated into server motherboards that enable the remote management of large server fleets. They allow administrators to control almost every aspect of the system remotely, even when it's switched off. For years, BMCs from various manufacturers have included vulnerable versions of the open-source software Lighttpd.
Lighttpd is a speedy, lightweight web server compatible with various hardware and software platforms. It's used in numerous products, including embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests.
Binary researchers have highlighted the lighttpd vulnerability in the firmware for years, but no one has bothered to update one of the third-party components used to build this firmware image. This is another example of inconsistencies in the firmware supply chain, with an outdated third-party component present in the latest version of firmware posing additional risk for end users.
The vulnerability allows hackers to identify memory addresses responsible for critical functions. Operating systems work hard to randomise and hide these locations to prevent their use in software exploits. However, hackers could overcome this standard protection by chaining an exploit for the lighttpd vulnerability with a separate vulnerability, known as address space layout randomisation.
Tracking the supply chain for multiple BMCs used in various server hardware is a daunting task. Binarly has so far identified AMI's MegaRAC BMC as one of the vulnerable BMCs and confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro is currently unavailable. The vulnerability is widespread, present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51.
Binarly researchers issued a stark warning in its advisories here, here, and here.: "A potential attacker can exploit this vulnerability to read the memory of the Lighttpd Web Server process. This could lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR."