Hackable Intel and Lenovo hardware that went undetected for 5 years won’t ever be fixed

Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products.

Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

Chain of fools

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it's turned off. BMCs provide what’s known in the industry as “lights-out” system management. AMI and AETN are two of several makers of BMCs.

For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that’s compatible with various hardware and software platforms. It’s used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests.

In 2018, lighttpd developers released a new version that fixed “various use-after-free scenarios,” a vague reference to a class of vulnerability that can be remotely exploitable to tamper with security-sensitive memory functions of the affected software. Despite the description, the update didn’t use the word “vulnerability” and didn’t include a CVE vulnerability tracking number as is customary.

BMC makers including AMI and ATEN were using affected versions of lighttpd when the vulnerability was fixed and continued doing so for years, Binarly researchers said. Server manufacturers, in turn, continued putting the vulnerable BMCs into their hardware over the same multi-year time period. Binarly has identified three of those server makers as Intel, Lenovo, and Supermicro. Hardware sold by Intel as recently as last year is affected. Binarly said that both Intel and Lenovo have no plans to release fixes because they no longer support the affected hardware. Affected products from Supermicro are still supported.

“All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image,” Binarly researchers wrote Thursday. “This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?”

Defeating ASLR

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can’t be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code.

Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI’s MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren’t available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51.

In a statement, Lenovo officials wrote:

Lenovo is aware of the AMI MegaRAC concern identified by Binarly. We are working with our supplier to identify any potential impacts to Lenovo products. ThinkSystem servers with XClarity Controller (XCC) and System x servers with Integrated Management Module v2 (IMM2) do not use MegaRAC and are not affected.

An AMI representative declined to comment on the vulnerability but added the standard statements about security being an important priority. An Intel representative confirmed the accuracy of the Binarly report. Representatives from Supermicro didn't respond to an email seeking confirmation of the report.

The lighttpd flaw is what’s known as a heap out-of-bounds read vulnerability that's caused by bugs in HTTP request parsing logic. Hackers can exploit it using maliciously designed HTTP requests.

“A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process,” Binarly researchers wrote in an advisory. “This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR.” Advisories are available here, here, and here.

This isn’t the first major supply chain gaff to be unearthed by Binarly. In December, the firm disclosed LogoFail, an attack that executes malicious firmware early in the boot-up sequence as a result of outdated firmware used in virtually all Unified Extensible Firmware Interfaces, which are responsible for booting modern devices that run Windows or Linux.

People or organizations using Supermicro gear should check with the manufacturer to find information on possible fixes. With no fixes available from Intel or Lenovo, there’s not much users of these affected hardware can do. It’s worth mentioning explicitly, however, that the severity of the lighttpd vulnerability is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability. In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet.