Unpatched Lighttpd Flaw in Intel, Lenovo BMCs Risks Data Security
April 16, 2024A security flaw in the Lighttpd web server impacting BMCs remains unpatched by Intel and Lenovo.
The vulnerability was fixed by Lighttpd maintainers in 2018 but was missed by AMI MegaRAC BMC developers due to lack of a CVE identifier.
Affected Intel and Lenovo products contain an out-of-bounds read vulnerability, risking sensitive data exposure and security bypass.
Intel and Lenovo have not addressed the flaw because the affected products are now end-of-life and no longer receive security updates.
The situation highlights the dangers of outdated third-party components in firmware and the extended risk to the industry.
Summary based on 1 source
Get a daily email with more Tech stories
Source
The Hacker News • Apr 15, 2024
Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw