Intel、聯想伺服器的BMC韌體存在長達6年之久的第三方元件漏洞
· 2024-04-12
偷偷修補資安漏洞,並未登記CVE編號,有可能對軟體供應鏈帶來危害!資安業者Binarly發現,2018年網頁伺服器元件Lighttpd專案默默修補的一項漏洞,迄今仍影響部分採用AMI MegaRAC基板管理控制器的伺服器
Binarly
使用第三方開源元件的軟體開發者,通常不會逐一套用開源元件專案所有更新內容,而可能會選擇性處理重大變更及重要的安全性修補,將其納入自己採用的第三方元件,而這樣的情況,很有可能帶來軟體供應鏈安全的問題。
最近資安業者Binarly揭露的網頁伺服器元件Lighttpd漏洞,就是這種情形。該專案曾在2018年發布1.4.51版,默默地修補一項記憶體堆疊越界讀取漏洞,但並未在資安公告裡提及,也沒有登記CVE編號,使得採用Lighttpd但並未套用相關修補程式碼的AMI MegaRAC基板管理控制器(BMC),如今仍存在相關漏洞。
值得留意的是,研究人員向採用該廠牌BMC的兩家伺服器廠商(Intel、聯想)通報此事,但這些廠商因為曝險產品已經達到生命週期結束(EOL)狀態,拒絕提供修補,或是不願承認研究人員通報的資訊。
對此,Binarly認為這項弱點會長期影響相關的軟體供應鏈,而將其稱做「永遠的漏洞(Forever Bugs)」,並針對受此漏洞影響的Intel、聯想BMC韌體,以及舊版lighttpd指派BRLY-2024-002、BRLY-2024-003、BRLY-2024-004予以列管。
熱門文章
Across 6 Cities: HUIDU Invites You to 8 World Cup Parties Redefining High-Value Social Networking
HUIDU Focus
Vietnam’s Controlled Gaming Shift Gains Ground, But Domestic Demand Still Lags
Southeast Asia
Online gambling, crypto pose ongoing money laundering risks in Philippines, analyst says
Southeast Asia
1spin4win releases unique slot Don Catleone Hold and Win featuring gangster cats
Online Game
GGC Awards 2026 Shines in Colombo: Honoring Leaders and Innovators in the iGaming Industry
HUIDU Focus
Full House at GAT Expo Cartagena 2026 Academic Agenda
Online Game
New Jersey July Gambling Revenue Hits $606M, Sweeps Casinos Banned
Regulation
Brazil Proposes Raising Gambling Tax Rate to 24%, With Revenue Allocated to Social Security and Healthcare
Regulation
Institutional Academy that exceeded expectations marked the opening of GAT CDMX
Online Game
1spin4win grows its Latin American presence by partnering with Fortuna Juegos
Online Game
Super PAC Raises $48 Million: Sports Betting Forces Ramp Up Political Push
Regulation
British gambling levy rates confirmed for each vertical
Regulation
Gaming & Technology Expo Makes a Powerful Entrance in CDMX
Marketing
HUIDU Invites You to Booth T70 at iGB L!VE 2026 — Let’s Ignite London This July!
HUIDU Focus
B2B Tech Infrastructure Gains Momentum in Philippine Gaming Sector
Southeast Asia
