Some Intel and Lenovo products have unfixable bugs in their firmware that can cause your device to be hacked. The bug in question has not been patched in years and will never be patched because the affected products are considered “end of life” and cannot receive further software updates. The vulnerability is serious enough that malicious actors could link it to more sophisticated attacks, but it does not pose a significant threat on its own.
This week, security company Binarly announced: report About security issues lighttpd—A flexible, open-source web server used in numerous technology products, including firmware components. A few years ago, in the summer of 2018, Lighttpd’s administrators discovered a remotely exploitable software vulnerability. This vulnerability could have allowed skilled cybercriminals to access sensitive security information.
Lighttpd’s software maintainers quietly released fixes to their own code but did not formalize them through a CVE, a common vulnerability and exposure identifier that allows companies using the software to fix problems, Binarly researchers said. Lighttpd is used in many products, including those produced by American Megatrends International (AMI), a company that produces much of the firmware software that major companies rely on.
The trickle-down effect is that certain kinds of hardware, including various products produced by Lenovo and Intel, are still vulnerable to bugs because they haven’t gotten the fixes. Now that the vendor no longer provides software updates, affected devices will never be fixed, Binarly researchers claim.
When asked for comment, Lenovo said it was “aware of the AMI MegaRAC issue identified by Binarly” and that it was “working with our vendor to identify the potential impact to Lenovo products.” Meanwhile, Intel said, “The device is now discontinued, which means no feature, security, or other updates will be available.”
Ars Technica memo “The lighttpd vulnerability is of moderate severity and is of no value unless an attacker exploits a much more severe vulnerability.” “A potential attacker could exploit this vulnerability to read the memory of the Lighttpd web server process,” Binarly researchers said. This can lead to “leakage of sensitive data such as memory addresses” and “can be used to bypass security mechanisms such as: ASLR.” So while this bug certainly presents an opportunity for intrusion and eventual compromise, it also seems like a jumping-off point for more sophisticated attacks.