0
0
Unpatched Firmware Bug Affects Intel and Lenovo Devices
Recent reports have revealed that certain Intel and Lenovo products are affected by an unfixable bug in their firmware, leaving them vulnerable to potential hacking. The bug, which has remained unpatched for years, poses a significant risk as the impacted products have reached their “end-of-life” status and will not receive any further software updates.
The Lighttpd Vulnerability: Background and Impact
The security firm Binarly recently published a report highlighting security issues related to Lighttpd, an open-source web server widely used in various tech products, including firmware components. In the summer of 2018, maintainers of Lighttpd identified a remotely exploitable software vulnerability that could allow cybercriminals access to sensitive security information.
While the maintainers quietly addressed the issue within their code, they did not formally document it with a CVE identifier, which is crucial for companies to patch vulnerabilities. This oversight has left numerous products, such as those from American Megatrends International (AMI) and subsequently Lenovo and Intel, vulnerable to the bug.
Implications for Lenovo and Intel Devices
Lenovo has acknowledged the concern raised by Binarly regarding the AMI MegaRAC vulnerability and is collaborating with suppliers to assess any potential impacts on Lenovo products. Intel, on the other hand, has stated that the affected devices are no longer supported, meaning that no updates, including security patches, will be provided.
An article from Ars Technica notes that the severity of the Lighttpd vulnerability is moderate and only becomes exploitable if combined with a more severe exploit. Binarly researchers have indicated that the bug could enable an attacker to access memory information from the Lighttpd Web Server process, potentially leading to data exfiltration and security mechanism bypass.
Conclusion
While the unpatched firmware bug in Intel and Lenovo devices may not pose an immediate threat on its own, it serves as a significant security concern due to its exploitable nature. The lack of software updates for end-of-life products leaves them susceptible to potential cyberattacks, emphasizing the importance of proactive security measures and continuous monitoring of vulnerabilities in tech products.
Image/Photo credit: source url
