Some Intel and Lenovo products have an unrecoverable flaw in the firmware that could allow the devices to be hacked. The bug in question remained unpatched for years and will never be patched because the affected products are considered “end-of-life” and will not receive any further software updates. Although the vulnerability is severe enough to allow an attacker to link it to a more sophisticated exploit, it does not pose a major threat on its own.
This week security company released Binarly a report about the security issues at stake Lighttpd– a flexible open source web server used in countless technical products, including firmware components. Years ago, in the summer of 2018, Lighttpd’s maintainers discovered a remotely exploitable software vulnerability that could hypothetically have allowed a sophisticated cybercriminal to access important security information.
According to Binarly researchers, Lighttpd’s software maintainers quietly issued a fix in their own code, but did not formalize it via a CVE – a common vulnerability and compromise identifier – which would have allowed companies using the software to to fix the problem. Lighttpd is used in many products, including those from American Megatrends International (AMI), a company that produces much of the firmware software that large companies rely on.
The trickle-down effect is that certain types of hardware – including various products from Lenovo and Intel – never received the fix and are therefore still vulnerable to the error. Now, these affected devices will never be repaired, Binarly researchers claim, because their vendors no longer release software updates for them.
When reached for comment, Lenovo said it was “aware of the AMI MegaRAC issue identified by Binarly” and was “working with our supplier to determine any possible impact on Lenovo products.” Intel, meanwhile, said that “the affected device is currently no longer available, meaning no functional, security or other updates will be provided.”
Ars Technica notes that “The severity of the Lighttpd vulnerability is only moderate and is of no value unless an attacker has a working exploit for a much more serious vulnerability.” Binarly researchers have said that a “potential attacker can exploit this vulnerability to “reading the memory of the Lighttpd web server process,” leading to “exfiltration of sensitive data such as memory addresses” and “bypassing security mechanisms such as. B ASLR.” Therefore, the flaw appears to be more of a starting point for a more sophisticated attack, although it clearly presents an opportunity for intrusion and eventual compromise.