First Page Design
Site Theme
The hardware that Intel and Lenovo have been touting for years comprises a remotely exploitable vulnerability that will never be patched. The cause: a source chain factor involving a package of open-source software and hardware from various brands that have either incorporated it directly or incorporated it into their products. .
Researchers at security firm Binarly showed that this bug led Intel, Lenovo, and Supermicro to ship server hardware that contained a vulnerability that can be exploited to reveal critical security information. However, the researchers cautioned that any hardware that incorporates certain generations of motherboard control controllers via AMI, in Duluth, Georgia, or AETN, in Taiwan, is also affected.
BMCs are small computers soldered to server motherboards that enable cloud centers and their customers to streamline remote control of fleets of giant servers. They allow administrators to remotely reinstall operational formulas, install and uninstall applications, and control almost every aspect. of the formula, even when it’s turned off. BMCs provide what is known in the industry as “no-lighting” formula control. AMI and AETN are two of BMC’s many manufacturers.
For years, BMCs of various brands have incorporated vulnerable versions of an open-source software known as lighttpd. Lighttpd is a fast and lightweight internet server, compatible with various hardware and software platforms. It is used in all types of software, adding built-in devices, such as BMC, to allow remote administrators to servers remotely with HTTP requests.
In 2018, lighttpd developers released a new edition that features “various post-release usage scenarios,” a vague reference to a vulnerability class that can be exploited remotely to alter the security-sensitive memory functions of the affected software. Despite the description, the update used the word “vulnerability” and came with a CVE vulnerability tracking number as usual.
BMC makers, in addition to AMI and ATEN, were employing the affected versions of lighttpd when the vulnerability was patched and continued to do so for years, the Binarly researchers said. Server manufacturers, in turn, have continued to integrate vulnerable BMCs into their hardware over time. same period of several years. Binarly has met 3 of those server manufacturers: Intel, Lenovo, and Supermicro. Hardware sold through Intel last year is affected. Binarly said Intel and Lenovo have no plans to release patches because the affected hardware is no longer affected. The affected Supermicro products are still in editing.
“All those years, [the lighttpd vulnerability] was provided in the firmware and no one cared to update any of the third-party parts used to create this firmware symbol,” Binarly researchers wrote Thursday. “This is another very best example of inconsistencies in the firmware’s source chain. A heavily superseded third-party component is provided in the latest firmware edition, creating a greater threat to end-users. Are there other systems in the industry that use lighttpd vulnerable editing?
The vulnerability allows hackers to identify memory controllers guilty of handling key functions. Operating systems try to randomize and hide those places so they can’t be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, attackers can simply defeat this popular protection, known as dealing with area design randomization. The chaining of two or more exploits is a common feature in hacking attacks today, as software makers continue to add anti-exploit protections to their code.
It’s tricky to trace the source chain of multiple BMCs used in multi-server hardware. So far, Binarly has identified AMI’s MegaRAC BMC as one of the vulnerable BMCs. The security company has proven that the BMC AMI is contained in the Intel Server System M70KLP. hardware. No information is available at this time on ATEN BMCs or Lenovo and Supermicro hardware. The vulnerability is provided on any lighttpd hardware versions 1. 4. 35, 1. 4. 45 and 1. 4. 51.
In a statement, Lenovo wrote:
Lenovo is aware of the MegaRAC AMI factor known through Binarly. We are working with our vendor to identify any potential effects on Lenovo products. ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) do not use MegaRAC and will not be affected.
An AMI representative declined to comment on the vulnerability, but added popular statements that security is a vital priority. An Intel representative showed the accuracy of Binarly’s report. Supermicro representatives did not respond to an email confirming the report.
The lighttpd flaw is the so-called out-of-bounds read vulnerability caused by insects in the parsing logic of HTTP requests. Hackers can exploit maliciously crafted HTTP requests.
“A potential attacker could simply exploit this vulnerability to read the process memory of the Lighttpd web server,” Binarly researchers wrote in an advisory. “This can lead to the leakage of sensitive data, such as memory addresses, which can be used to bypass security mechanisms such as ASLR. ” Reviews can be found here, here, and here.
Individuals or organizations that use Supermicro hardware deserve to consult with the manufacturer for data on possible solutions. In the absence of available patches from Intel or Lenovo, there is little and a lot that users of that affected hardware can do. However, it is explicitly mentioned that the severity of the lighttpd vulnerability is only moderate and priceless unless an attacker has an exploit running for a much more severe vulnerability. In general, BMCs only deserve to be activated when necessary and conscientiously blocked, as they allow ordinary control of entire fleets of servers with undeniable HTTP requests sent over the Internet.
Join the Ars Orbital Transmission email to receive weekly updates in your inbox. Sign up →