BMC flaw left unchecked for 6 years hits Intel and Lenovo servers

News
By Sead Fadilpašić
published

Affected devices had reached end-of-life, the manufacturers claim

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)

A lack of communication which occured several years ago resulted in thousands of devices being vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability today - and among the vulnerable devices are Intel and Lenovo servers.

Six years ago, the maintainers of Lighttpd discovered the above-mentioned flaw, which could allow threat actors to exfiltrate process memory addresses. That, in turn, could have been used to work around protection mechanisms. 

The security team patched the flaw in August 2018, in version 1.4.51, but they didn’t assign a CVE. Lighttpd is an open-source web server optimized for speed-critical environments.

Thousands of vulnerable devices

As the CVE wasn’t assigned, the developers of AMI MegaRAC Baseboard Management Controllers (BMC) missed the update and did not integrate it into their product, BleepingComputer reports. BMCs are microcontrollers found on motherboards built for servers, data centers, cloud environments, and similar. They are designed for remote management, rebooting, monitoring, and firmware.

Consequently, the vulnerability was passed down the supply chain to system vendors and their customers.

Six years later, during a BMC scan, security researchers Binarly stumbled upon the vulnerability. The company says that multiple products, including some from Intel, Lenovo, and Supermicro, are all vulnerable.

"Based on our data, nearly 2000+ devices are impacted in the field. In reality, this number is even bigger," the researchers told BleepingComputer.

Depending on the vendors and the devices, the vulnerability was given three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.

While Binarly claims that some of the vulnerable systems were released as recently as late February last year, both Intel and Lenovo said the impacted models reached end-of-life and as such aren’t recommended for use anyway. They will never receive further patches to address the problem, and will remain vulnerable until they are replaced with newer, supported systems.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.