Intel and Lenovo Products Left With “Forever-Day” Bugs

A recently unearthed security flaw in the Lighttpd web server, which is employed in baseboard management controllers (BMCs) used by notable device vendors such as Intel and Lenovo, remains unpatched, raising significant concerns about the long-term security implications for technology as it reaches end-of-life (EOL). This revelation by Binarly underscores a critical oversight in the maintenance of legacy technology systems.

Lighttpd, known for its high performance, security, and flexibility, is an open-source web server software that is optimized for environments requiring high performance without significant resource consumption. Despite its advantages, a critical vulnerability identified in the software—an out-of-bounds read issue—was silently patched by Lighttpd maintainers back in August 2018 with the release of version 1.4.51. However, the absence of a CVE identifier or a detailed advisory at the time led to its omission in downstream firmware updates, notably in products developed by Intel and Lenovo.

This particular vulnerability poses a serious threat as it allows for the potential exfiltration of sensitive data, including process memory addresses. Such exposure could enable threat actors to circumvent critical security protections such as address space layout randomization (ASLR), which is designed to prevent the execution of harmful code.

The lack of comprehensive communication about this security patch has led to inadequate mitigation of the vulnerability along both the firmware and software supply chains. Specifically, products utilizing the following versions of Lighttpd were affected:

• Lighttpd version 1.4.45 in Intel’s M70KLP series firmware,

• Lighttpd version 1.4.35 in Lenovo’s BMC firmware,

• Versions of Lighttpd prior to 1.4.51.

Intel and Lenovo have decided against addressing this vulnerability in certain products, citing that the versions carrying the vulnerable Lighttpd have reached EOL and, therefore, do not qualify for security updates. This decision effectively categorizes the issue as a "forever-day" bug—a security flaw in software that will never be fixed, remaining perpetually exploitable.

The continuation of this vulnerability in the firmware underscores a broader issue prevalent in the tech industry: outdated third-party components embedded in the latest firmware versions can inadvertently introduce security risks, affecting the entire supply chain and consequently, end-users. Such scenarios accentuate the challenges in managing legacy systems that are no longer supported yet continue to be widely used.

This situation exemplifies the potential dangers of neglecting to patch or phase out older technologies, which may continue to operate within critical IT environments. The persistence of these vulnerabilities presents an ongoing risk, potentially leading to high-impact security breaches within industries relying on such technology. Therefore, it is imperative for organizations to evaluate the risks associated with maintaining EOL products within their operational environments and to consider proactive measures, such as upgrading to supported hardware or implementing stringent access controls, to mitigate potential threats.

Moreover, this case highlights the need for enhanced transparency and diligence in the dissemination of information regarding security updates, enabling all stakeholders in the supply chain to appropriately address vulnerabilities before they are exploited. As technology continues to evolve, the importance of robust cybersecurity measures and effective end-of-life management for software and hardware becomes increasingly paramount to protect against emerging cyber threats.