Lighttpd

An old bug in Lighttpd has gained new life, leaving Intel and Lenovo products at risk.

How an old bug in Lighttpd gained new life in AMI BMC, including Lenovo and Intel products.

April 11, 2024

On March 21, 2024 the Binarly REsearch team notified Intel and Lenovo PSIRT teams of an active lighttpd vulnerability.While this vulnerability was originally detected in 2018, no CVE was assigned and instead a silent fix has left open source components unpatched for years.

[BRLY-2024-002] OOB Read in Lighttpd 1.4.45 used in Intel M70KLP series firmware

The Binarly REsearch team have discovered a Heap Out-of-bounds Read vulnerability in the web server component of Intel BMC firmware, allowing a potential attacker to exfiltrate sensitive information from Lighttpd process memory.

[BRLY-2024-004] OOB Read in Lighttpd before 1.4.51

The Binarly REsearch team has discovered a Heap Out-of-bounds Read vulnerability in the lighttpd web server, allowing a potential attacker to exfiltrate sensitive information from process memory.

[BRLY-2024-003] OOB Read in Lighttpd 1.4.35 used in Lenovo BMC firmware

The Binarly REsearch team has discovered a Heap Out-of-bounds Read vulnerability in the web server component of Lenovo BMC firmware, allowing a potential attacker to exfiltrate sensitive information from Lighttpd process memory.

Get a closer look at Binarly

Our team is available to talk to you about your specific requirements or to give you a full demo