BMC flaw left unchecked for 6 years hits Intel and Lenovo servers

The security team patched the flaw in August 2018, in version 1.4.51, but they didn’t assign a CVE. Lighttpd is an open-source web server optimized for speed-critical environments.

Thousands of vulnerable devices

As the CVE wasn’t assigned, the developers of AMI MegaRAC Baseboard Management Controllers (BMC) missed the update and did not integrate it into their product, BleepingComputer reports. BMCs are microcontrollers found on motherboards built for servers, data centers, cloud environments, and similar. They are designed for remote management, rebooting, monitoring, and firmware.

Consequently, the vulnerability was passed down the supply chain to system vendors and their customers.

Six years later, during a BMC scan, security researchers Binarly stumbled upon the vulnerability. The company says that multiple products, including some from Intel, Lenovo, and Supermicro, are all vulnerable.

"Based on our data, nearly 2000+ devices are impacted in the field. In reality, this number is even bigger," the researchers told BleepingComputer.

Depending on the vendors and the devices, the vulnerability was given three separate identifiers: BRLY-2024-002, BRLY-2024-003, and BRLY-2024-004.

While Binarly claims that some of the vulnerable systems were released as recently as late February last year, both Intel and Lenovo said the impacted models reached end-of-life and as such aren’t recommended for use anyway. They will never receive further patches to address the problem, and will remain vulnerable until they are replaced with newer, supported systems.

More from TechRadar Pro

• Microsoft warns Raspberry Robin malware is getting a lot sourer
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now