Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Hackers can use the Lighttpd vulnerability to target BMCs
Intel and Lenovo won’t provide any fixes
2 min. read
Updated onApril 17, 2024
updated onApril 17, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Lighttpd is a popularopen-source web server. Multiple manufacturers use it for their tools and products because it is flexible, fast, efficient, and compliant. Additionally, it holds well in high-performance environments. Unfortunately, Lighttpd has an unsolved vulnerability that affects over 2000 devices made by Intel, Lenovo, Supermicro, and American Megatrends International (AMI).
In addition, the Lighttpd vulnerability affects baseboard management controllers (BMCs) from Duluth, Georgia-based AMI, or Taiwan-based AETN.
What are the BMCs for?
The problem could become serious because BMCs are responsible for allowing cloud centers and their customers to manage servers remotely. Also, they work even if you turn off your system. Thus,threat actorscould remotely invade them using the Lighttpd vulnerability to access and control them anytime.
Lighttpd developersfixed the problemin 2018 without specifying it exclusively in the patch. On top of that, they didn’t assign a CVE to it. Thus, manufacturers continued using the outdated version of the open-source web server.
Hackerscan exploit the Lighttpd vulnerability and access the read memory of a server. From there, they can bypass security systems such as ASLR (Address space layout randomization).
Intel and Levenovo will not release a patch to fix the issue. In addition, they claim that they no longer support the hardware that is possibly vulnerable to it. However, the other versions are going to remain at risk forever. For example, Supermico is still relying on Lighttpd. So, consider contacting the manufacturer for a possible fix.
Fortunately, the Lighttpd vulnerability alone is not severe because cybercriminals need a working exploit to use it. On top of that, you need to enable the BMCs only when you need them. Afterward, you should carefully lock them because they allow the control of servers with HTTP requests.
Ultimately, you can manage the Lighttpd vulnerability with some extra care. After all, if you use Intel or Lenovo hardware, there won’t be a fix. Also, you can find the vulnerability in systems using Lighttpd versions 1.4.35, 1.4.45, and 1.4.51. However, you shouldn’t worry much about it because the issue persisted for six years, and nobody did anything about it.
What are your thoughts? Should Intel and Lenovo do something about the issue? Let us know in the comments.
More about the topics:Cybersecurity,intel,lenovo
Sebastian Filipoiu
Sebastian is a content writer with a desire to learn everything new about AI and gaming. So, he spends his time writing prompts on various LLMs to understand them better. Additionally, Sebastian has experience fixing performance-related problems in video games and knows his way around Windows. Also, he is interested in anything related to quantum technology and becomes a research freak when he wants to learn more.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Sebastian Filipoiu
Sebastian is a content writer with a desire to learn everything new about AI and gaming.
