An anonymous reader cites a report from Ars Technica. Hardware sold by companies like Intel and Lenovo for years has had vulnerabilities that can be exploited remotely and are never fixed. The cause: A disruption in his supply chain involving an open source software package and hardware from multiple manufacturers that incorporated it directly or indirectly into their products. Researchers at security firm Binarly say the blunder caused Intel, Lenovo and Supermicro to ship server hardware that contained vulnerabilities that could be exploited to leak security-critical information. confirmed. However, the researchers also warned that hardware that incorporates certain generations of baseboard management controllers manufactured by Duluth, Georgia-based AMI, or Taiwan-based AETN are also affected.
A BMC is a small computer that is soldered to a server's motherboard and allows cloud centers, and sometimes their customers, to streamline remote management of large fleets of servers. These allow administrators to remotely reinstall her OS, install and uninstall apps, and control nearly every other aspect of the system (even when it's powered off). BMC provides what is known in the industry as “lights-out” systems management. AMI and AETN are two of BMC's several manufacturers. Over the years, multiple manufacturers' BMCs have included vulnerable versions of open source software known as lighttpd. Lighttpd is a fast and lightweight web server that is compatible with a variety of hardware and software platforms. It is used in all types of ware, including embedded devices such as BMCs, and allows remote administrators to control servers remotely using HTTP requests. […] “For many years now, [the lighttpd vulnerability] “No one attempted to update one of the third-party components present within the firmware and used to build this firmware image,” Binarly researchers wrote on Thursday. “This is another perfect example of a mismatch in the firmware supply chain. Very outdated third-party components are present in the latest versions of firmware, creating additional risks for end users. Across the industry, lighttpd Are there other systems using vulnerable versions of ?
This vulnerability allows hackers to determine the memory addresses that handle key functions. Operating systems take pains to randomize and hide these locations so that they cannot be used to exploit the software. By chaining an exploit of the lighttpd vulnerability with another vulnerability, a hacker could defeat this standard protection known as address space layout randomization. Chaining two or more exploits has become a common feature of hacking attacks these days, as software manufacturers continue to add exploit prevention protections to their code. It is difficult to trace the supply chain of multiple BMCs used in multiple server hardware. So far, Binarly has identified his MegaRAC BMC on his AMI as his one of the vulnerable BMCs. The security company has confirmed that AMI BMC is included in Intel Server System M70KLP hardware. Information regarding ATEN's BMC, Lenovo, and Supermicro hardware is not available at this time. This vulnerability exists on all hardware using lighttpd versions 1.4.35, 1.4.45, and 1.4.51. “A potential attacker could exploit this vulnerability to read the memory of the Lighttpd web server process,” the Binarly researcher said in the advisory. “This could potentially leak sensitive data such as memory addresses, which could be used to bypass security mechanisms such as ASLR.” The advisory is available here, here, and here can.
