A security flaw impacting the Lighttpd web server used in baseboard management controllers (BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal.
一项影响基板管理控制器(BMCs)中使用的Lighttpd Web服务器的安全漏洞仍未被像英特尔和联想这样的设备供应商修补,Binarly的新发现显示。
While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo.
尽管原始缺陷于2018年8月由Lighttpd维护者发现并修补,版本为1.4.51,但缺乏CVE标识符或公告意味着AMI MegaRAC BMC的开发人员忽视了它,最终出现在由英特尔和联想制造的产品中。
Lighttpd (pronounced "Lighty") is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources.
Lighttpd(发音为“Lighty”)是一个为速度、安全性和灵活性而设计的开源高性能Web服务器软件,优化了高性能环境,而不会消耗大量系统资源。
The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout randomization (ASLR).
Lighttpd的静默修复涉及一种越界读漏洞,可以被利用来窃取敏感数据,例如进程内存地址,从而允许威胁行为者绕过关键的安全机制,如地址空间布局随机化(ASLR)。
"The absence of prompt and important information about security fixes prevents proper handling of these fixes down both the firmware and software supply chains," the firmware security company said.
固件安全公司表示:“有关安全修复的及时和重要信息的缺失阻碍了这些修复在固件和软件供应链中的正确处理。”
The flaws are described below -
以下是描述的缺陷 -
-
Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
Intel M70KLP系列固件中使用的Lighttpd 1.4.45中的越界读
-
Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
联想BMC固件中使用的Lighttpd 1.4.35中的越界读
-
Out-of-bounds read in Lighttpd before 1.4.51
Lighttpd 1.4.51之前的越界读
Intel and Lenovo have opted not to address the issue as the products incorporating the susceptible version of Lighttpd have hit end-of-life (EoL) status and are no longer eligible for security updates, effectively turning it into a forever-day bug.
英特尔和联想选择不解决此问题,因为集成了易受影响的Lighttpd版本的产品已经达到了终端生命周期(EoL)状态,并且不再有资格进行安全更新,从而有效地将其转变为永久性漏洞。
The disclosure highlights how the presence of outdated third-party components in the latest version of firmware can traverse the supply chain and pose unintended security risks for end users.
披露突出显示了最新固件版本中过时第三方组件的存在如何穿越供应链并为最终用户带来意外的安全风险。
"This is yet another vulnerability that will remain unfixed forever in some products and will present high-impact risk to the industry for a very long time," Binarly added.
Binarly补充说:“这是另一个将在某些产品中永远无法修复的漏洞,将长期对行业造成高影响风险。”
参考资料
[1]https://thehackernews.com/2024/04/intel-and-lenovo-bmcs-contain-unpatched.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):未修复的Lighttpd漏洞影响英特尔和联想BMCs
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论