Security News > 2024 > April > Intel and Lenovo servers impacted by 6-year-old BMC flaw
An almost 6-year-old vulnerability in the Lighttpd web server used in Baseboard Management Controllers has been overlooked by many device vendors, including Intel and Lenovo.
Although the vulnerability was addressed in August 2018, the maintainers of Lighthttpd patched it silently in version 1.4.51 without assigning a tracking ID. This led the developers of AMI MegaRAC BMC to miss the fix and fail to integrate it into the product.
BRLY-2024-002: Specific vulnerability in Lighttpd version 1.4.45 used in Intel's M70KLP series firmware version 01.04.0030, impacting certain Intel server models.
BRLY-2024-003: Specific vulnerability in Lighttpd version 1.4.35 within Lenovo BMC firmware version 2.88.58 used in Lenovo server models HX3710, HX3710-F, and HX2710-E. BRLY-2024-004: General vulnerability in Lighttpd web server versions before 1.4.51, allowing sensitive data reading from the server's process memory.
Among the vendors with impacted devices are Intel and Lenovo, who Binarly notified of the problem in their devices.
According to Binarly, there is a "Massive number" of vulnerable and publicly available BMC devices that have reached end-of-life and will remain vulnerable forever due to the lack of patches.