(safe) Unsecure security

ECDSA NIST-P521 keys used with any vulnerable product / component should be considered compromised and consequently revoked by removing them from authorized_keys, GitHub, ...

Although the vulnerability was addressed in August 2018, the maintainers of Lighthttpd patched it silently in version 1.4.51 without assigning a tracking ID (CVE).

This led the developers of AMI MegaRAC BMC to miss the fix and fail to integrate it into the product. The vulnerability thus trickled down the supply chain to system vendors and their customers.

BMCs are microcontrollers embedded on server-grade motherboards, including systems used in data centers and cloud environments, that enable remote management, rebooting, monitoring, and firmware updating on the device.

In short - it is a BIOS/virtual keyboard and mouse accessible via internet and if you can access it - you are controlling the computer. Of course, to have such devices exposed without adequate protection is an interesting idea by itself, but there are quite some dedicated server providers that do it for various reasons (less work).

Probably web runs on PHP - upgrade!

Check https://news.ycombinator.com/item?id=39865810 comments as well

This is quite important, but still there is hope - to be fully exploited it seems that one needs to have malware present in the computer, so if that is already the case - there are more problems to solve.

The little known “manufacturer” or “manager” reset codes could let third parties—such as spies or criminals—bypass locks without the owner’s consent and are sometimes not disclosed to customers.

The fact the DoD protected its own interests while not warning the public gives a stark demonstration of what could happen if a backdoor was inserted into a consumer electronics device or similar.

The documentation also explicitly says that sometimes the existence of a manager code may not be sent to an actual user of the device. “In some instances the Manager Code and associated Operating Instructions are not issued to the End User,” it reads, meaning that people may be using these locks without understanding that they can include a backdoor code.

"Khurana was handsomely compensated," Meta continued in its complaint. "But ... that was not enough." Despite that fat pay package and VP title, Khurana may have failed to consider the level of monitoring or logging that goes on inside Meta's networks, if the lawsuit's allegations are correct.

Funnilly, Avast is under the same umbrella as AVG, Norton, Symatec and bunch of over tools like CCleaner: https://en.wikipedia.org/wiki/Gen_Digital

Interesting study

No action required to be exploited