About vulnerability
The vulnerability resides within the Lighttpd web server, a lightweight and efficient open-source server commonly used for high-traffic websites. Researchers at the Binary firmware security firm stumbled upon this flaw, which had remained unnoticed for years. The flaw lies in the handling of “folded” HTTP request headers, leading to a heap out-of-bounds (OOB) read vulnerability.
The Culprit: Lighttpd Web Server
The Lighthttpd developers stealthily patched the issue in version 1.4.51 without issuing a tracking ID (CVE), even though it was resolved in August 2018.
Because of this, the AMI MegaRAC BMC developers overlooked the change and neglected to incorporate it into the final version. As a result, system vendors and their clients were affected further down the supply chain by the vulnerability.
The Impact
BMCs are microcontrollers that are integrated into server-grade motherboards, such as those found in cloud and data center systems, and allow for This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents