Some Intel and Lenovo merchandise have an unfixable bug of their firmware that would enable the gadgets to be hacked. The bug in query has sat unpatched for years and can by no means be patched as a result of the impacted merchandise have been deemed “end-of-life” and received’t obtain any further software program updates. Whereas the vulnerability is critical sufficient to permit a foul actor to chain it to a extra subtle exploit, it doesn’t, by itself, current a lot of a menace.
This week, the safety agency Binarly revealed a report in regards to the safety points, which revolve round Lighttpd—a versatile, open-source net server that’s utilized in myriad tech merchandise, together with firmware parts. Years in the past, in the summertime of 2018, a remotely exploitable software program vulnerability was found inside Lighttpd by its maintainers that would have hypothetically allowed a savvy cybercriminal to entry very important safety info.
Lighttpd’s software program maintainers quietly issued a repair in their very own code, Binarly researchers mentioned, however they didn’t formalize it through a CVE—a standard vulnerabilities and exposures identifier—which might have allowed firms utilizing the software program to repair the problem. Lighttpd is utilized in many merchandise, together with these produced by American Megatrends Worldwide (AMI), an organization that produces a lot of the firmware software program that main firms depend upon.
The trickle-down impact is that sure sorts of {hardware}—together with numerous merchandise produced by Lenovo and Intel—by no means obtained the repair and, subsequently, are nonetheless weak to the bug. Now, these impacted gadgets will by no means be mounted, Binarly researchers declare, as a result of their distributors aren’t pushing out software program updates for them anymore.
When reached for remark, Lenovo mentioned it’s “conscious of the AMI MegaRAC concern recognized by Binarly” and that it’s “working with our provider to determine any potential impacts to Lenovo merchandise.” Intel, in the meantime, mentioned that the “affected gadget is presently end-of-life, which means no practical, safety, or different updates might be offered.”
Ars Technica notes that “the severity of the lighttpd vulnerability is barely reasonable and is of no worth until an attacker has a working exploit for a way more extreme vulnerability.” Binarly researchers have mentioned {that a} “potential attacker can exploit this vulnerability with a purpose to learn reminiscence of Lighttpd Internet Server course of,” which might result in “delicate information exfiltration, akin to reminiscence addresses” and “can be utilized to bypass safety mechanisms akin to ASLR.” Due to this fact, the bug would seem like extra of a jumping-off level for a extra subtle assault, though it clearly presents a chance for intrusion and, ultimately, compromise.
Trending Merchandise