6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities in open-source components and inconsistent update uptake. 

The lighttpd vulnerability was silently fixed in 2018 without any CVE assignment in a single instance of vulnerability detection.

As a result, critical security patches are often lost on downstream software that relies on these elements.

Consequently, it is very difficult to trace every modification for possible problems without designated security advisories and CVE assignments, which creates gaps in vulnerability management across the supply chain.

Binary cybersecurity researchers recently discovered that Lighttpd, a 6-year-old security flaw, has impacted Intel and Lenovo servers.

6-year-old Lighttpd Flaw

While studying BMC safety, Binarly encountered a heap out-of-bounds read vulnerability (BRLY-2024-002) in the Lighttpd module of a discontinued Intel Server System product. 

The unpatched flaw, which was fixed silently multiple years ago without CVE, would not be addressed as it was no longer under support. 

This complexity and insecurity of firmware and software supply chains are well illustrated by the existence of vulnerabilities in third-party components that are left isolated for years, leading to long-term risks with destructing consequences for different sectors. 

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

While the expected life cycle reactions make sense, there is an underlying issue regarding ungoverned exposures in the supply chain that needs to be addressed promptly by taking proactive measures.

The finding also shows contradictions in the firmware supply chain, as some of the latest versions contain outdated third-party components that create additional risks for users.

Further research confirmed that Lenovo BMC firmware for HX3710, HX3710-F, and HX2710-E servers was similarly affected by this vulnerability.

Like Intel, their response noted that these servers had become end-of-life, making it difficult to release future security updates.

Coverages (Source – Binarly)

This situation highlights a more general problem of unpatched vulnerabilities in older products caused by the complexity of firmware supply chains and lifecycle management.

The silent fix does not include an advisory or CVE identifier to facilitate patch management processes that further complicate the problem. 

No prompt, significant information on security fixes makes effective handling of firmware and software supply chains impossible. 

Binary assigned identifiers BRLY-2024-002 and BRLY-2024-003 for the affected Intel and Lenovo BMC firmware, while BRLY-2024-004 was given to the vulnerable Lighttpd build.

This indicates that better vulnerability disclosure and coordination are required across the complicated supply chain ecosystem.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…

51 minutes ago

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond,…

1 hour ago

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…

3 hours ago

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

3 hours ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

3 hours ago

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

4 hours ago