Hackable Intel and Lenovo hardware that went undetected for 5 years won’t ever be fixed

🌈 Abstract

The article discusses a remotely exploitable vulnerability in hardware sold by major manufacturers like Intel and Lenovo, which is caused by a supply chain issue involving an open-source software package called lighttpd. The vulnerability affects baseboard management controllers (BMCs) used in server hardware and can be exploited to bypass security mechanisms like address space layout randomization (ASLR).

🙋 Q&A

[01] Hardware Vulnerability

1. What is the vulnerability found in hardware sold by Intel, Lenovo, and Supermicro?

• The hardware contains a remotely exploitable vulnerability that can never be fixed, caused by a supply chain issue involving the open-source software package lighttpd.
• The vulnerability affects baseboard management controllers (BMCs) used in server hardware, which allow remote management of the systems.
• The vulnerability can be exploited to reveal security-critical information and bypass security mechanisms like ASLR.

2. What is the cause of this vulnerability?

• BMCs from multiple manufacturers, including AMI and AETN, have incorporated vulnerable versions of the open-source software lighttpd for years.
• The lighttpd vulnerability was fixed in 2018, but BMC makers continued using the affected versions, and server manufacturers incorporated these vulnerable BMCs into their hardware.

3. Which hardware products are affected by this vulnerability?

• Hardware sold by Intel, Lenovo, and Supermicro that incorporates certain generations of BMCs made by AMI or AETN are affected.
• Intel hardware sold as recently as last year is affected, and both Intel and Lenovo have no plans to release fixes as they no longer support the affected hardware.
• Affected products from Supermicro are still supported.

4. How can the vulnerability be exploited?

• The vulnerability is a heap out-of-bounds read vulnerability in the HTTP request parsing logic of lighttpd.
• Attackers can exploit it using maliciously designed HTTP requests to read memory of the lighttpd web server process, potentially leading to sensitive data exfiltration and bypassing security mechanisms like ASLR.

[02] Supply Chain Issues

1. What are the supply chain issues that led to this vulnerability?

• BMC makers, including AMI and ATEN, were using affected versions of lighttpd when the vulnerability was fixed in 2018 and continued doing so for years.
• Server manufacturers, in turn, continued putting the vulnerable BMCs into their hardware over the same multi-year time period.
• This is an example of "inconsistencies in the firmware supply chain," where a very outdated third-party component was present in the latest version of firmware, creating additional risk for end-users.

2. How difficult is it to track the supply chain for the affected BMCs and hardware?

• Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult.
• So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs, but information about BMCs from ATEN or hardware from Lenovo and Supermicro is not available at the moment.

3. What is the impact of this supply chain issue?

• The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51, which were incorporated into BMCs and server hardware for years.
• This has resulted in a widespread vulnerability that cannot be easily fixed, as the affected hardware is no longer supported by the manufacturers.