Vulnerability in lighttpd Web Server Exposes Sensitive Data: Urgent Patch Required
The Carnegie Mellon CERT Coordination Center (CERT/CC) has issued a critical vulnerability note regarding a use-after-free vulnerability in lighttpd versions 1.4.50 and earlier. This vulnerability allows remote, unauthenticated attackers to exploit crafted HTTP requests, leading to web server crashes and potential leakage of sensitive data. Although the lighttpd project addressed this issue in 2018, many implementations remain unpatched, posing significant security risks.
lighttpd, a lightweight web server designed for low-resource environments, is widely used in IoT devices and firmware due to its efficiency and minimal CPU and memory footprint. In November 2018, VDOO researchers identified a vulnerability in lighttpd’s HTTP header parsing code, affecting versions 1.4.50 and earlier. This vulnerability, fixed in version 1.4.51 released in August 2018, was not assigned a CVE ID, leaving many systems unaware of the required update.
In April 2024, Binarly discovered that the vulnerability persisted in numerous products, highlighting a significant supply-chain risk. Without a CVE ID, many organizations failed to recognize the necessity of the security fix. The lighttpd project has now obtained CVE-2018-25103 to formally identify the vulnerability and alert supply-chain partners to implement the necessary updates.
Attackers can exploit this vulnerability by sending specially crafted HTTP requests to targeted web servers. This can result in:
- Denial of Service (DoS): Crashing the web server and making it unavailable to legitimate users.
- Information Disclosure: Leaking sensitive information from the server’s memory, including process addresses and potentially confidential data.
The impact of the CVE-2018-25103 vulnerability extends beyond individual websites. Due to lighttpd’s widespread use in IoT devices and embedded systems, a wide range of products could be at risk, including those from major vendors.
CERT/CC strongly recommends that organizations take immediate action to mitigate this threat:
- Apply Patches: Update lighttpd to the latest version, ensuring that all patches from the vendor are applied.
- Replace End-of-Life Devices: If your devices are no longer supported by the vendor, consider replacing them to eliminate the vulnerability.
- Restrict Network Access: Limit network access to lighttpd implementations to minimize exposure to potential attacks.
