Some Intel and Lenovo merchandise have an unfixable bug of their firmware that might enable the units to be hacked. The bug in query has sat unpatched for years and can by no means be patched as a result of the impacted merchandise have been deemed “end-of-life” and received’t obtain any extra software program updates. Whereas the vulnerability is critical sufficient to permit a nasty actor to chain it to a extra refined exploit, it doesn’t, by itself, current a lot of a menace.
This week, the safety agency Binarly revealed a report in regards to the safety points, which revolve round Lighttpd—a versatile, open-source net server that’s utilized in myriad tech merchandise, together with firmware elements. Years in the past, in the summertime of 2018, a remotely exploitable software program vulnerability was found inside Lighttpd by its maintainers that might have hypothetically allowed a savvy cybercriminal to entry important safety data.
Lighttpd’s software program maintainers quietly issued a repair in their very own code, Binarly researchers stated, however they didn’t formalize it through a CVE—a typical vulnerabilities and exposures identifier—which might have allowed corporations utilizing the software program to repair the problem. Lighttpd is utilized in many merchandise, together with these produced by American Megatrends Worldwide (AMI), an organization that produces a lot of the firmware software program that main corporations rely on.
The trickle-down impact is that sure sorts of {hardware}—together with numerous merchandise produced by Lenovo and Intel—by no means bought the repair and, subsequently, are nonetheless weak to the bug. Now, these impacted units will by no means be mounted, Binarly researchers declare, as a result of their distributors aren’t pushing out software program updates for them anymore.
When reached for remark, Lenovo stated it’s “conscious of the AMI MegaRAC concern recognized by Binarly” and that it’s “working with our provider to determine any potential impacts to Lenovo merchandise.” Intel, in the meantime, stated that the “affected machine is at present end-of-life, that means no purposeful, safety, or different updates might be offered.”
Ars Technica notes that “the severity of the lighttpd vulnerability is simply reasonable and is of no worth until an attacker has a working exploit for a way more extreme vulnerability.” Binarly researchers have stated {that a} “potential attacker can exploit this vulnerability with a purpose to learn reminiscence of Lighttpd Internet Server course of,” which might result in “delicate information exfiltration, corresponding to reminiscence addresses” and “can be utilized to bypass safety mechanisms corresponding to ASLR.” Subsequently, the bug would seem like extra of a jumping-off level for a extra refined assault, though it clearly presents a chance for intrusion and, finally, compromise.
Trending Merchandise
