Some Intel and Lenovo products have an unfixable bug in their firmware that could allow the devices to be hacked. The bug in question has sat unpatched for years and will never be patched because the impacted products have been deemed “end-of-life” and won’t receive any additional software updates. While the vulnerability is serious enough to allow a bad actor to chain it to a more sophisticated exploit, it doesn’t, on its own, present much of a threat.
This week, the security firm Binarly published a report about the security issues, which revolve around Lighttpd—a flexible, open-source web server that is used in myriad tech products, including firmware components. Years ago, in the summer of 2018, a remotely exploitable software vulnerability was discovered inside Lighttpd by its maintainers that could have hypothetically allowed a savvy cybercriminal to access vital security information.
Lighttpd’s software maintainers quietly issued a fix in their own code, Binarly researchers said, but they didn’t formalize it via a CVE—a common vulnerabilities and exposures identifier—which would have allowed companies using the software to fix the issue. Lighttpd is used in many products, including those produced by American Megatrends International (AMI), a company that produces much of the firmware software that major companies rely upon.
The trickle-down effect is that certain kinds of hardware—including various products produced by Lenovo and Intel—never got the fix and, therefore, are still vulnerable to the bug. Now, those impacted devices will never be fixed, Binarly researchers claim, because their vendors aren’t pushing out software updates for them anymore.
When reached for comment, Lenovo said it is “aware of the AMI MegaRAC concern identified by Binarly” and that it is “working with our supplier to identify any potential impacts to Lenovo products.” Intel, meanwhile, said that the “affected device is currently end-of-life, meaning no functional, security, or other updates will be provided.”
Ars Technica notes that “the severity of the lighttpd vulnerability is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability.” Binarly researchers have said that a “potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process,” which could lead to “sensitive data exfiltration, such as memory addresses” and “can be used to bypass security mechanisms such as ASLR.” Therefore, the bug would appear to be more of a jumping-off point for a more sophisticated attack, although it clearly presents an opportunity for intrusion and, eventually, compromise.