On April 16th, pulsestacks reported that the software/firmware supply chain security team Binarly recently discovered that some Intel and Lenovo servers are still affected by the 2018 Lighttpd-related vulnerability.
Lighttpd is a lightweight, efficient open-source web server known for its low system resource consumption, commonly used in Baseboard Management Controllers (BMCs) on server motherboards.
pulsestacks note: BMC, as a type of MCU microcontroller, provides crucial functions for the motherboard including remote management, rebooting, firmware updates, and monitoring.
In 2018, a remotely exploitable vulnerability in Lighttpd was discovered, and the developers promptly issued a fix upon detection.
However, the developers of Lighttpd did not assign a tracking ID, including a CVE number, to this vulnerability. This silent fix led to relatively low attention paid to both the vulnerability and its resolution.
Firmware developers for downstream AMI MegaRAC series BMCs did not notice this issue during the long period from 2019 to 2023 and did not follow up with the fix.
Some Intel and Lenovo servers using AMI MegaRAC BMCs have been impacted by this issue from the supply chain.
The Binarly team has stated that there are still at least 2000 servers vulnerable to Lighttpd-related issues.
In response, Lenovo informed BleepingComputer that they are aware of the AMI MegaRAC problem identified by Binarly and are working with the supplier to assess the impact.
Intel, on the other hand, mentioned that the affected servers have reached end-of-life (EOL) status and are no longer receiving security updates. This implies that these servers are susceptible to related attacks before being decommissioned.
