The discovery of an unpatched security flaw in the Lighttpd web server has raised concerns about the potential risks faced by device vendors such as Intel and Lenovo. While the flaw was originally addressed by Lighttpd maintainers in 2018, the lack of a CVE identifier or advisory meant that it went unnoticed by other developers. Consequently, this vulnerability found its way into products made by Intel and Lenovo.
Lighttpd is a high-performance, open-source web server known for its speed, security, and resource efficiency. Unfortunately, one particular flaw in Lighttpd created an out-of-bounds read vulnerability that could be exploited by threat actors to exfiltrate sensitive data, effectively bypassing critical security measures.
The firmware security company, Binarly, has expressed concern about the absence of prompt and important information regarding security fixes. This information gap hinders the proper handling of fixes throughout the firmware and software supply chains, leaving devices vulnerable to ongoing threats.
What makes this situation even more concerning is that Intel and Lenovo have chosen not to address the issue. The infected versions of Lighttpd used in their products have reached end-of-life status, rendering them ineligible for security updates. This effectively transforms the vulnerability into a “forever-day bug,” posing ongoing risks to the industry.
This disclosure highlights the need for the industry to address outdated third-party components that can create unintended security risks. The presence of these outdated components in the latest firmware versions can have far-reaching consequences, impacting end users and perpetuating high-impact risks.
Device vendors and developers must prioritize ongoing security updates and adopt a proactive approach to ensure that vulnerabilities are promptly acknowledged and addressed. By closing these security gaps, the industry can mitigate risks and bolster the overall security of their products.
To stay informed about the latest industry news and exclusive content, follow us on Twitter and LinkedIn.
The discovery of an unpatched security flaw in the Lighttpd web server has raised concerns about potential risks faced by device vendors such as Intel and Lenovo. Lighttpd is an open-source web server known for its speed, security, and resource efficiency. However, a flaw in the server created an out-of-bounds read vulnerability, which could be exploited by threat actors to exfiltrate sensitive data and bypass critical security measures.
The vulnerability was initially addressed by Lighttpd maintainers in 2018, but the lack of a CVE identifier or advisory meant that it went unnoticed by other developers. Consequently, this vulnerability made its way into products manufactured by Intel and Lenovo.
The absence of prompt and important information regarding security fixes has become a concern for the firmware security company, Binarly. This information gap hinders the proper handling of fixes throughout the firmware and software supply chains, leaving devices vulnerable to ongoing threats.
What makes this situation even more concerning is that Intel and Lenovo have chosen not to address the issue. The infected versions of Lighttpd used in their products have reached end-of-life status, making them ineligible for security updates. This effectively transforms the vulnerability into a “forever-day bug,” posing ongoing risks to the industry.
This disclosure underscores the need for the industry to address outdated third-party components that can create unintended security risks. The presence of these outdated components in the latest firmware versions can have far-reaching consequences, impacting end-users and perpetuating high-impact risks.
Device vendors and developers must prioritize ongoing security updates and adopt a proactive approach to ensure that vulnerabilities are promptly acknowledged and addressed. By closing these security gaps, the industry can mitigate risks and bolster the overall security of their products.
For more information on industry news and exclusive content, you can follow us on Twitter and LinkedIn.
The source of the article is from the blog scimag.news