Hackable Intel and Lenovo Hardware That Went Undetected for 5 Years Won’t Ever be Fixed
upstart writes:
Multiple links in the supply chain failed for years to identify an unfixed vulnerability:
Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products.
Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.
BMCs (Baseboard Management Controllers) are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system-even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs.
For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests.
In 2018, lighttpd developers released a new version that fixed "various use-after-free scenarios," a vague reference to a class of vulnerability that can be remotely exploitable to tamper with security-sensitive memory functions of the affected software. Despite the description, the update didn't use the word "vulnerability" and didn't include a CVE vulnerability tracking number as is customary.
BMC makers including AMI and ATEN were using affected versions of lighttpd when the vulnerability was fixed and continued doing so for years, Binarly researchers said. Server manufacturers, in turn, continued putting the vulnerable BMCs into their hardware over the same multi-year time period. Binarly has identified three of those server makers as Intel, Lenovo, and Supermicro. Intel hardware sold by Intel as recently as last year is affected. Binarly said that both Intel and Lenovo have no plans to release fixes because they no longer support the affected hardware. Affected products from Supermicro are still supported.
Read more of this story at SoylentNews.