CTOLCTOL Solutions
CTOL Digital SolutionsCTOL Digital Solutions FRCTOL Digital Solutions DACHCTOL 디지털 솔루션希图科技
News
Services CIO/CTO AdvisoryCloud ComputingDigital Marketing and SalesData Science and Business IntelligenceGenerative AI for BusinessWeb3 and Defi for EnterpriseWeb and Mobile Apps DevelopmentDigital Business ConsultancyLegacy App ModernizationWeb Design and User Experience
Industries Aerospace and DefenseAutomotiveBankingCapital MarketsCommunications and MediaConsumer Goods and ServicesEnergyHealth and Health CareInternetManufacturingInsurancePublic & Social SectorRetailTravelTelecommunicationsPharmaPrivate Equity & venture CapitalEducationOil and GasReal EstateConstruction and Building MaterialLegal ServicesGastronomy and Hospitality
InsightsSoftwareAI Tools
Contact Us
Unpatched Vulnerability Leaves Thousands of Devices at Risk

Unpatched Vulnerability Leaves Thousands of Devices at Risk

By
Elena Petrovich
3 min read
Hardware

A lack of communication several years ago resulted in the discovery of a vulnerability that affects thousands of devices, including Intel and Lenovo servers. The flaw, detected by Lighttpd maintainers, could be exploited by threat actors to access memory addresses. Despite a patch being released in 2018, the CVE was not assigned, leading to BMCs missing the update, subsequently making servers and their customers vulnerable. Security researchers recently stumbled upon the vulnerability in a BMC scan, affecting multiple products from Intel, Lenovo, and Supermicro, with nearly 2000+ devices impacted.

Key Takeaways

  • A security flaw in Lighttpd discovered 6 years ago left thousands of devices, including Intel and Lenovo servers, vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability.
  • The flaw was patched in August 2018, but the CVE was not assigned, causing developers to miss the update and integrate it into their products, leading to a supply chain vulnerability.
  • Security researchers Binarly discovered the vulnerability during a BMC scan, identifying nearly 2000+ impacted devices, with some vulnerable systems released as recently as late February last year.
  • The vulnerability was given three separate identifiers, and while Intel and Lenovo claim the impacted models reached end-of-life and are not recommended for use, they will remain vulnerable until replaced with newer, supported systems.
  • Depending on the vendors and the devices, the vulnerability was given three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.

News Content

A six-year-old vulnerability in the Lighttpd web server, patched in 2018 but without a CVE, has left thousands of devices, including Intel and Lenovo servers, vulnerable to exploitation. Due to the lack of a CVE, the flaw was missed by the developers of AMI MegaRAC BMCs, leading to a supply chain impact on system vendors and their customers. Security researchers Binarly discovered the vulnerability, affecting over 2000 devices and given identifiers BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004. Although some affected systems have reached end-of-life and are not recommended for use, they remain vulnerable until replaced with newer, supported systems.

The vulnerability, originating from a lack of communication several years ago, has resulted in a significant impact on server devices from various vendors, indicating the long-term consequences of unaddressed security issues. The discovery shines a light on the critical importance of timely communication and patch adoption throughout the supply chain, serving as a cautionary tale for the tech industry. With thousands of susceptible devices identified and the potential for wider impact, this serves as a reminder of the ongoing challenges in maintaining security across diverse technology ecosystems.

Analysis

The six-year-old vulnerability in the Lighttpd web server, affecting devices such as Intel and Lenovo servers, has raised concerns about supply chain security. The lack of a CVE and missed detection by AMI MegaRAC BMC developers have resulted in a significant impact on system vendors and their customers. This highlights the long-term consequences of unaddressed security issues and emphasizes the critical importance of timely communication and patch adoption throughout the supply chain. The potential wider impact poses challenges in maintaining security across diverse technology ecosystems and serves as a cautionary tale for the tech industry, impacting the reputation and operations of the affected vendors and organizations.

Did You Know?

  • Lighttpd web server: A web server software that has been affected by a six-year-old vulnerability, leaving thousands of devices vulnerable to exploitation.
  • CVE (Common Vulnerabilities and Exposures): A unique identifier assigned to a newly discovered security vulnerability, used to track and identify the vulnerability in various systems and databases.
  • AMI MegaRAC BMCs: Baseboard management controllers (BMCs) developed by American Megatrends Inc. (AMI), which were impacted by the lack of a CVE for the vulnerability, leading to a supply chain impact on system vendors and their customers.

You May Also Like

This article is submitted by our user under the News Submission Rules and Guidelines. The cover photo is computer generated art for illustrative purposes only; not indicative of factual content. If you believe this article infringes upon copyright rights, please do not hesitate to report it by sending an email to us. Your vigilance and cooperation are invaluable in helping us maintain a respectful and legally compliant community.

Subscribe to our Newsletter

Get the latest in enterprise business and tech with exclusive peeks at our new offerings