Researchers discover Intel and Lenovo’s oldest hardware have firmware vulnerabilities that will never be fixed
Some Intel and Lenovo products have an unfixable firmware error that could allow devices to be hacked. The error has been left unpatched for years and will never be fixed because the affected products have been deemed “end of life” and will not receive any further software updates. While the vulnerability is serious enough to potentially be exploited by a malicious actor, it does not pose a major threat on its own.
Binarly, a security firm, recently published findings about security issues surrounding Lighttpd – a flexible open-source web server used in numerous technological products, including firmware components. In the summer of 2018, a remotely exploitable software vulnerability was discovered within Lighttpd that could have hypothetically allowed a smart cybercriminal to access crucial security information.
The maintainers of Lighttpd quietly issued a fix in their code, according to Binarly researchers, but did not formalize it through a Common Vulnerabilities and Exposures (CVE) identifier, which would have allowed companies using the software to address the issue. As a result, certain types of hardware, including various products produced by Lenovo and Intel, never received the fix and remain vulnerable to the error. These affected devices will not be repaired because their providers are not releasing software updates for them.
When asked for comment, Lenovo acknowledged the concern identified by Binarly regarding AMI MegaRAC and stated they are working with their provider to identify any potential impact on Lenovo products. Meanwhile, Intel mentioned that the affected device is at the end of its life cycle, meaning no functional, security, or other updates will be provided.
Ars Technica mentioned that the seriousness of the Lighttpd vulnerability is moderate and only valuable if an attacker has a more severe exploit. Binarly researchers noted that a potential attacker could exploit the vulnerability to read the Lighttpd web server’s memory, potentially leading to the exfiltration of confidential data and bypassing security mechanisms like ASLR. While the error may serve as a starting point for a sophisticated attack, it still presents an opportunity for intrusion and compromise.
