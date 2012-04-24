Multiple links in the supply chain failed for years to identify an unfixed vulnerability:
Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products.
Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.
BMCs (Baseboard Management Controllers) are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs.
For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests.
In 2018, lighttpd developers released a new version that fixed "various use-after-free scenarios," a vague reference to a class of vulnerability that can be remotely exploitable to tamper with security-sensitive memory functions of the affected software. Despite the description, the update didn't use the word "vulnerability" and didn't include a CVE vulnerability tracking number as is customary.
BMC makers including AMI and ATEN were using affected versions of lighttpd when the vulnerability was fixed and continued doing so for years, Binarly researchers said. Server manufacturers, in turn, continued putting the vulnerable BMCs into their hardware over the same multi-year time period. Binarly has identified three of those server makers as Intel, Lenovo, and Supermicro. Intel hardware sold by Intel as recently as last year is affected. Binarly said that both Intel and Lenovo have no plans to release fixes because they no longer support the affected hardware. Affected products from Supermicro are still supported.
"All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"
The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code.
Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51.
Attempts to immediately reach lighttpd developers and most of the makers of affected hardware weren't immediately successful. An AMI representative declined to comment on the vulnerability but added the standard statements about security being an important priority.
The lighttpd flaw is what's known as a heap out-of-bounds read vulnerability that's caused by bugs in HTTP request parsing logic. Hackers can exploit it using maliciously designed HTTP requests.
(Score: 2, Insightful) by PiMuNu on Saturday April 13, @06:03PM (3 children)
> a supply chain snafu involving an open source software package
How is the copyright license of the software relevant to the rest of this article?
(Score: 3, Insightful) by drussell on Saturday April 13, @07:15PM
Promotes FUD.
"It's all Open Source's fault!"
"Look over there! Squirrel!! Shiny thing!! Over there! OVER THERE!!" 🙄
(Score: 1, Touché) by Anonymous Coward on Saturday April 13, @08:38PM (1 child)
Oh, but you would certainly bring it up if it were propietory, wouldn't you...
(Score: 2) by RedGreen on Sunday April 14, @04:55AM
"Oh, but you would certainly bring it up if it were propietory, wouldn't you..."
That is how you know it is a Windows vulnerability, they never mention the OS when it is due to it. The only time I really the OS ever mentioned is when it has to do with Linux so they can indeed spread the FUD.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 1) by anubi on Saturday April 13, @10:02PM (1 child)
I still remember the disgust I had when manufacturers started embracing flash BIOS on the motherboard and so-called "secure updaters" for reflashing it using only software.
If they can't get anything else right, at least the BIOS right. All those special little backdoors put in at the behest of governments, marketeers, and copyright police belong in the OS, not the BIOS.
I would be delighted with a machine whose basic functions could be trusted by public examination of their operation code.
Even my Arduino compatible designs, I designed hardware jumpers to enable them to accept new programming, so that one has to have physical access to it to alter its programming. Same with it's flash memory. Once you have the memory loaded with calibration tables or whatever, remove the jumper and the write enable is hard disabled.
It's hard for me to conceive anyone would want to deploy hackable hardware onto hapless businessmen that think no one is going to anonymously screw them over...maybe just for the fun of it.
,
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by r1348 on Saturday April 13, @11:29PM
The BMC is a separate component from the BIOS. You can actually see the BIOS boot and modify its configuration remotely when connected to it through IPMI.