Some Intel and Lenovo products contain unfixable bugs in their firmware that could lead to devices being hacked. The vulnerability has not been patched for years and never will be, as the affected products have been deemed “end of life” and will not receive any additional software updates. While the vulnerability is severe enough for bad actors to link it to more sophisticated exploits, it doesn’t pose much of a threat on its own.
This week, security company Binarly released a report Regarding security issues, these questions revolve around lightpod— A flexible open source web server used in a variety of technology products, including firmware components. Years ago, in the summer of 2018, Lighttpd maintainers discovered a remotely exploitable software vulnerability within Lighttpd, hypothesizing that it could allow savvy cybercriminals to access critical security information.
Binarly researchers say that Lighttpd’s software maintainers quietly released a fix into their own code, but they did not formalize it via a CVE, a common identifier of vulnerabilities and exposures, which would allow users of the software to The company fixes the problem. Lighttpd is used in many products, including those made by American Megatrends International (AMI), which makes the firmware software that many large companies rely on.
The trickle-down effect is that certain types of hardware, including various products made by Lenovo and Intel, never get a fix and therefore remain susceptible to the bug. Binarly researchers claim that now these affected devices will never be repaired because their vendors are no longer rolling out software updates for them.
When contacted for comment, Lenovo said it was “aware of the AMI MegaRAC issues noted by Binarly” and was “working with our vendors to determine any potential impact on Lenovo products.” Intel, meanwhile, said that “the affected devices are currently discontinued, which means no feature, security, or other updates will be provided.”
technical art noticed “The lighttpd vulnerability is only moderately severe and of no value unless an attacker is able to exploit a more severe vulnerability.” Binarly researchers said, “A potential attacker could exploit this vulnerability to read the memory of the Lighttpd web server process.” This could lead to “disclosure of sensitive data, such as memory addresses,” and “could be used to bypass security mechanisms, such as ASLR.” Therefore, the bug seems more like a starting point for a more sophisticated attack, although it clearly provides the means for intrusion and eventual compromise Chance.