The issue stems from a flaw in open source software called lighttpd, which is built into some generations of BMCs from AMI and AETN. In 2018, Lighttpd developers released a new version in which this problem appeared and no one noticed. An old and vulnerable version of lighttpd allows attackers to steal sensitive data, including memory addresses needed to bypass security measures.
The severity of the vulnerability stems from its unfixability. Updating the BMC firmware will not fix the problem as lighttpd is a core component. Researchers warn that millions of servers could be at risk and urge users to determine the version of BMC and lighttpd software.
While the full extent of the issue remains unclear, Binarly confirmed the vulnerability on an Intel M70KLP server system equipped with AMI’s BMC MegaRAC.
Source: Ferra
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
