{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/312260#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA use-after-free vulnerability in lighttpd in versions 1.4.50 and earlier permits a remote, unauthenticated attacker to trigger lighttpd to read from invalid pointers in memory.  The attacker can use crafted HTTP Requests to crash the web server and/or leak memory in order to access sensitive data. This vulnerability was fixed in 2018 by the lighttpd project.  However, a number of implementations of lighttpd remain vulnerable due to a failure to apply the security updates provided by lighttpd.\r\n\r\n### Description\r\nlighttpd is a lightweight web server software that is meant for low resource environments with limited CPU and memory. This open-source software is available in binary form and source code that is included in various IoT and firmware environments.  In November of 2018, VDOO researchers disclosed a [vulnerability](https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#Lighttpd%20Use-After-Free%20Bugs) related to the HTTP header parsing code in lighttpd versions 1.4.50 and earlier. This security issue was fixed by lighttpd  as part of their [1.4.51 release](https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9#diff-8800c58d198dc86ed580c0e0b78c9a26) in August 2018.  At the time of disclosure, VDOO researchers identified the primary impact to be Denial of Service (DoS) using the released memory pointer.  \r\n\r\nHowever, a CVE ID was not obtained as part of the fix outlined above, leaving the vulnerability without a public identifier.  In April of 2024, Binarly discovered that the lighttpd vulnerability was still present in a number of products, presenting a supply-chain risk. The lack of CVE ID rendered the security fix invisible to projects that utilize earlier versions of lighttpd.  Many organizations depend on [a public CVE ID record](https://apps.dtic.mil/sti/trecms/pdf/AD1125343.pdf) to initiate security fixes and apply software updates. [Binarly also documented](https://www.binarly.io/blog/lighttpd-gains-new-life) many implementations of lighttpd (versions 1.4.50 and earlier) that allowed for a different set of attacks that can leak memory and access sensitive data. The supply-chain impact of this vulnerable software includes multiple products as highlighted in the [blog by runZero](https://www.runzero.com/blog/lighttpd/).  The lighttpd project has now obtained [CVE-2018-25103](https://www.cve.org/CVERecord?id=CVE-2018-25103) to identify this vulnerability and to alert supply-chain partners to implement the required fix. \r\n\r\n### Impact\r\nThe impact of this vulnerability varies largely due to the various ways lighttpd can be used a web server in various product implementations.  In general, a remote unauthenticated attacker can use crafted HTTP Requests to crash the web server and/or leak memory in order to access sensitive data, such as process memory addresses. \r\n\r\n### Solution\r\nThe CERT/CC recommends applying the latest vendor-provided patch to address this issue. Review the Vendor Information below or contact your vendor or supplier for specific mitigation advice. If your device's implementation of lighttpd is deemed end-of-life or end-of-support, replace your hardware or software as appropriate to avoid exposure to this vulnerability.  Operators can also limit network access to lighttpd implementations to avoid exposure of this software to the public Internet and untrusted sources.\r\n\r\n\r\n### Acknowledgements\r\nThanks to Binarly for highlighting this vulnerability in supply-chain implementations. Thanks to Ori Hollander, VDOO for identifying and reporting the vulnerability in 2018. Thanks also to  lighttpd project and vendor AMI that cooperated in supporting this public disclosure and outreach.This document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"lighttpd 1.4.50 and earlier have a use-after-free-vulnerability which might leak memory.  Brute force attacks would have to guess exact matches.  Guesses must not contain chars < 0x20 and would have to rely on stable contents of a specific, non-attacker-controlled memory location.  On system not processing any other requests, and therefore with more stable memory location, the contents in freed memory are very unlikely to contain anything sensitive.  This bug is read-only and not otherwise directly exploitable, but could theoretically be leveraged if other exploitable bugs were found.","title":"Vendor statment from lighttpd"},{"category":"other","text":"AMI has published an advisory to customers.","title":"Vendor statment from American Megatrends Incorporated (AMI)"},{"category":"other","text":"The only impacted Intel device is end of lifed. This was previously shared with Binarly. Due to it being EOL'd Intel will not be providing a mitigation.","title":"Vendor statment from Intel"},{"category":"other","text":"Intel's products are Affected by this vulnerability however these products have been identified as end-of-life by Intel.  Users should replace these end-of-life products as they will not be fixed by Intel.","title":"CERT/CC comment on Intel notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/312260"},{"url":"https://www.runzero.com/blog/lighttpd/","summary":"https://www.runzero.com/blog/lighttpd/"},{"url":"https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9","summary":"https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9"},{"url":"https://www.binarly.io/blog/lighttpd-gains-new-life","summary":"https://www.binarly.io/blog/lighttpd-gains-new-life"},{"url":"https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf","summary":"https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf"},{"url":"https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736","summary":"https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736"},{"url":"https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9","summary":"Reference(s) from vendor \"lighttpd\""},{"url":"https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736","summary":"Reference(s) from vendor \"lighttpd\""},{"url":"https://www.runzero.com/blog/lighttpd/","summary":"Reference(s) from vendor \"lighttpd\""}],"title":"Use-after-free vulnerability in lighttpd version 1.4.50 and earlier","tracking":{"current_release_date":"2024-07-10T18:25:51+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#312260","initial_release_date":"2024-07-09 14:48:44.963802+00:00","revision_history":[{"date":"2024-07-10T18:25:51+00:00","number":"1.20240710182551.2","summary":"Released on 2024-07-10T18:25:51+00:00"}],"status":"final","version":"1.20240710182551.2"}},"vulnerabilities":[{"title":"There exists a use-after-free-vulnerability in lighttpd <= 1.","notes":[{"category":"summary","text":"There exists a use-after-free-vulnerability in lighttpd <= 1.4.50 that can allow access to do a case-insensitive comparison against the reused pointer."}],"cve":"CVE-2018-25103","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#312260"}],"product_status":{"known_affected":["CSAFPID-de605692-34dd-11f1-8422-122e2785dc9f","CSAFPID-de609936-34dd-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-de60e850-34dd-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"lighttpd","product":{"name":"lighttpd Products","product_id":"CSAFPID-de605692-34dd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-de609936-34dd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-de60e850-34dd-11f1-8422-122e2785dc9f"}}]}}