Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

BMC flaw left unchecked for 6 years hits Intel and Lenovo servers

Security.

A lack of communication which occured several years ago resulted in thousands of devices being vulnerable to a remotely exploitable heap out-of-bounds (OOB) read vulnerability today - and among the vulnerable devices are Intel and Lenovo servers.

Six years ago, the maintainers of Lighttpd discovered the above-mentioned flaw, which could allow threat actors to exfiltrate process memory addresses. That, in turn, could have been used to work around protection mechanisms. 

The security team patched the flaw in August 2018, in version 1.4.51, but they didn’t assign a CVE. Lighttpd is an open-source web server optimized for speed-critical environments.

Thousands of vulnerable devices

As the CVE wasn’t assigned, the developers of AMI MegaRAC Baseboard Management Controllers (BMC) missed the update and did not integrate it into their product, BleepingComputer reports. BMCs are microcontrollers found on motherboards built for servers, data centers, cloud environments, and similar. They are designed for remote management, rebooting, monitoring, and firmware.

Consequently, the vulnerability was passed down the supply chain to system vendors and their customers.

Six years later, during a BMC scan, security researchers Binarly stumbled upon the vulnerability. The company says that multiple products, including some from Intel, Lenovo, and Supermicro, are all vulnerable.

"Based on our data, nearly 2000+ devices are impacted in the field. In reality, this number is even bigger," the researchers told BleepingComputer.

Depending on the vendors and the devices, the vulnerability was given three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.

While Binarly claims that some of the vulnerable systems were released as recently as late February last year, both Intel and Lenovo said the impacted models reached end-of-life and as such aren’t recommended for use anyway. They will never receive further patches to address the problem, and will remain vulnerable until they are replaced with newer, supported systems.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.