If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
The Binarly Research researchers revealed recently, the detection of an old vulnerability in Lighttpd which is present in devices such as AMI BMCs, including products from Lenovo and Intel. It is mentioned that this vulnerability allow to an unauthenticated attacker remotely read the memory contents of the process supporting the web interface.
The vulnerability has been present in the firmware since 2019 and originates from the use of an outdated version of the Lighttpd HTTP server, which contains an uncorrected vulnerability and its presence currently affects Lenovo and Intel server platforms.
About vulnerability
It is mentioned that the severity of the vulnerability lies in the fact that this allows reading memory outside the allocated buffer, caused by an error in the HTTP header merging code when specifying multiple instances of the "If-Modified-Since" header.
When processing the second header instance, Lighttpd allocated a new buffer to hold the combined value and freed the buffer containing the first header value. However, the con->request.http_if_modified_since pointer was not updated and kept pointing to the already freed memory area.
The situation is aggravated because this pointer was used in operations that compared the content of the header If-Modified-Since, and the result of these comparisons influenced the generation of different return codes. Therefore, an attacker could, by brute force, infer the new content of the memory which previously occupied the first buffer. This vulnerability can be combined with others to, for example, determine the memory layout and bypass security mechanisms such as ASLR (Address Space Randomization).
Vulnerability in Lighttpd was discovered and fixed in 2018, but a CVE was not assigned
The fix for this vulnerability was implemented in the Lighttpd codebase in 2018, specifically in version 1.4.51. However, this fix was not given a CVE identifier and a report detailing the nature of the vulnerability was not published. The release note mentioned security fixes, but focused on a vulnerability in mod_userdir related to the use of characters like ".." and "." in the username.
The Binarly REsearch team led the coordinated disclosure of this vulnerability to Intel and Lenovo PSIRTs. Both declined to fix or acknowledge the vulnerability report because the associated products recently reached end-of-life status and will no longer receive security fixes.
We call these the forever bugs that will haunt the software supply chain for a long time. We decided to document this software supply chain security flaw to help the ecosystem recover from these repeatable firmware security flaws.
Although the changelog also pointed out a problem in HTTP header processing, firmware developers did not include this fix in the product. In addition, the companies have mentioned that they have no plans to release firmware updates because the products that use these firmwares have reached the end of their support period, in addition to considering that the severity of the vulnerability is low.
The platforms that are currently affected due to vulnerability are: Intel M70KLP and Lenovo HX3710, HX3710-F and HX2710-E (the vulnerability is present, among other things, in the latest Lenovo firmware versions 2.88.58 and Intel 01.04.0030). In addition, it is reported that the vulnerability in Lighttpd also affects the firmware of Supermicro equipment, as well as servers that use BMC controllers from Duluth and ATEN.
In addition to the vulnerability in Lighttpd, The report mentions other critical vulnerabilities, such as Heap Out-of-bounds read (CWE-125) in the Lighttpd module used in Intel devices, as well as vulnerabilities in the Intel M70KLP BMC firmware and Lenovo servers HX3710, HX3710-F and HX2710-E BMC firmware.
Finally, it is worth mentioning that andn Binarly Research report highlights the need for responsible disclosure of the vulnerabilities detected, as well as collaboration with manufacturers and relevant parties (such as Intel and Lenovo), to mitigate risks, since the presence of "eternal bugs" in devices that are reaching the end of their life cycle is not something new and it is necessary to offer users the ability to implement patches or solutions on their own, this is clear when the manufacturer indicates that support has ended on its part.
If you are interested in knowing more about it, you can check the details In the following link.