6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities in open-source components and inconsistent update uptake. 

The lighttpd vulnerability was silently fixed in 2018 without any CVE assignment in a single instance of vulnerability detection.

As a result, critical security patches are often lost on downstream software that relies on these elements.

Consequently, it is very difficult to trace every modification for possible problems without designated security advisories and CVE assignments, which creates gaps in vulnerability management across the supply chain.

Binary cybersecurity researchers recently discovered that Lighttpd, a 6-year-old security flaw, has impacted Intel and Lenovo servers.

6-year-old Lighttpd Flaw

While studying BMC safety, Binarly encountered a heap out-of-bounds read vulnerability (BRLY-2024-002) in the Lighttpd module of a discontinued Intel Server System product. 

The unpatched flaw, which was fixed silently multiple years ago without CVE, would not be addressed as it was no longer under support. 

This complexity and insecurity of firmware and software supply chains are well illustrated by the existence of vulnerabilities in third-party components that are left isolated for years, leading to long-term risks with destructing consequences for different sectors. 

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

While the expected life cycle reactions make sense, there is an underlying issue regarding ungoverned exposures in the supply chain that needs to be addressed promptly by taking proactive measures.

The finding also shows contradictions in the firmware supply chain, as some of the latest versions contain outdated third-party components that create additional risks for users.

Further research confirmed that Lenovo BMC firmware for HX3710, HX3710-F, and HX2710-E servers was similarly affected by this vulnerability.

Like Intel, their response noted that these servers had become end-of-life, making it difficult to release future security updates.

Coverages (Source – Binarly)

This situation highlights a more general problem of unpatched vulnerabilities in older products caused by the complexity of firmware supply chains and lifecycle management.

The silent fix does not include an advisory or CVE identifier to facilitate patch management processes that further complicate the problem. 

No prompt, significant information on security fixes makes effective handling of firmware and software supply chains impossible. 

Binary assigned identifiers BRLY-2024-002 and BRLY-2024-003 for the affected Intel and Lenovo BMC firmware, while BRLY-2024-004 was given to the vulnerable Lighttpd build.

This indicates that better vulnerability disclosure and coordination are required across the complicated supply chain ecosystem.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL Launch…

18 minutes ago

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being actively…

1 hour ago

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to solve…

3 hours ago

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and raising…

4 hours ago

Thinkware Cloud APK Vulnerability Allows Code Execution With Elevated Privileges

A critical vulnerability identified as CVE-2024–53614 has been discovered in the Thinkware Cloud APK version…

5 hours ago

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and UD-LT1/EX…

6 hours ago