Six-year old bug will likely live forever in Lenovo, Intel products | CyberScoop<\/title> <meta name=\"description\" content=\"A report from Binarly finds that a silently patched bug in a popular web server will likely live on in several major end-of-life products.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/lightppd-vulnerability-ami-open-source\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Six-year old bug will likely live forever in Lenovo, Intel products\"> <meta property=\"og:description\" content=\"A report from Binarly finds that a silently patched bug in a popular web server will likely live on in several major end-of-life products.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/lightppd-vulnerability-ami-open-source\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-04-11T21:36:34+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1483\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1712258582g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1711866546g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80110\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80110\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flightppd-vulnerability-ami-open-source%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flightppd-vulnerability-ami-open-source%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80110 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/lightppd-vulnerability-ami-open-source\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.428338762215\">\n<div class=\"single-article__header-content\" readability=\"29.832\">\n<p> A report from Binarly finds that a silently patched bug in a popular web server will likely live on in several major end-of-life products. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"494\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products.jpg?resize=640%2C494&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=300,232 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=768,593 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=1024,791 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=1536,1186 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=600,463 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=218,168 218w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=436,337 436w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=874,675 874w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-2.jpg?resize=1091,843 1091w\" sizes=\"(max-width: 874px) 100vw, 874px\"><figcaption> Aisle with messy cables in a server room. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.057588805167\"><body readability=\"67.061931317875\"><\/p>\n<p>A vulnerability in a popular open-source web server that was silently patched six years ago means that several end-of-life servers from major brands will likely always be vulnerable to the bug, according to the cybersecurity firm Binarly.<\/p>\n<p>The vulnerability in question impacts Lighttpd, a popular open-source web server product known for its flexibility and low resource cost. It\u2019s frequently used in enterprise software, data centers, and by cloud providers. A series of events highlighting the complexity of securing open-source software and the complicated supply chain for enterprise products means that a handful of widely used products made by these companies will likely contain a vulnerable version of Lighttpd for the foreseeable future. <\/p>\n<p>Lighttpd\u2019s developers patched the bug in 2018 but did not announce or assign a CVE that would have let users know of the security update, Binarly said in a <a href=\"https:\/\/www.binarly.io\/blog\/lighttpd-gains-new-life\">report issued Thursday<\/a>. The tech company American Megatrends International relies on Lighttpd in a piece of firmware known as AMI MegaRAC, but the firm never updated its instance of Lighttpd to address the vulnerability. That allowed a version of AMI MegaRAC containing the vulnerable version of Lighttpd to be included in a series of widely used Intel and Lenovo products. <\/p>\n<p>What\u2019s worse, several of the affected products have just reached end-of-life earlier this year, meaning that as of now none of the vendors will update their products with the security fix.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Alex Matrosov, the co-founder and CEO of Binarly, calls vulnerabilities like these \u201cforever bugs\u201d due to their long-lasting impact and said they pose \u201cmassive\u201d issues for open-source projects. Matrosov said his firm found more than 2,000 devices containing the Lighttpd vulnerability, but believes the true impact is likely much larger. In concert with other bugs, the vulnerability could lead to buffer overflow attacks, Matrosov said.<\/p>\n<p>A spokesperson for Lenovo said the company is \u201caware of the AMI MegaRAC concern identified by Binarly\u201d and is working to identify \u201cimpacts to Lenovo products.\u201d An Intel spokesperson said that \u201cthe affected device is currently end-of-life, meaning no functional, security, or other updates will be provided.\u201d<\/p>\n<p>AMI did not immediately respond to requests for comment, nor did Lighttpd developers.<\/p>\n<p>Lighttpd\u2019s developers appear to have only mentioned the security update in a <a href=\"https:\/\/github.com\/lighttpd\/lighttpd1.4\/commit\/df8e4f95614e476276a55e34da2aa8b00b1148e9\">commit<\/a> on GitHub. But while the open-source developers may not have created a CVE, AMI also does not appear to have updated its instance of Lighttpd since at least 2018, when the code was updated with the security fix.<\/p>\n<p>Binarly\u2019s report highlights an issue that has become a growing concern for the Biden administration, especially after the discovery of the <a href=\"https:\/\/cyberscoop.com\/tag\/log4shell\/\">Log4Shell<\/a> bug. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The administration is examining how to work with the developer community to better secure open-source software out of the box. Major vendors have long used open-source software and while some do assist in development or contribute resources, there are still a large number of developers working with little help to maintain widely deployed software. <\/p>\n<p>In recent weeks, a researcher <a href=\"https:\/\/cyberscoop.com\/xz-utils-open-source\/\">discovered<\/a> a cunningly designed backdoor inserted in a popular piece of open-source software designed to provide powerful espionage capabilities. Experts described that incident as a narrowly averted catastrophe.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.6363636363636\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/lightppd-vulnerability-ami-open-source\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Six-year old bug will likely live forever in Lenovo, Intel<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1863,1073,288,643,703],"tags":[1864,1076,294,645,705],"class_list":["post-3058","post","type-post","status-publish","format-standard","hentry","category-lenovo","category-open-source","category-threats","category-vulnerabilities","category-vulnerability-disclosure","tag-lenovo","tag-open-source","tag-threats","tag-vulnerabilities","tag-vulnerability-disclosure"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lenovo\/\" rel=\"category tag\">Lenovo<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a>","tag_info":"vulnerability disclosure","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3058"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3058\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3058,"date":"2024-04-11T16:36:34","date_gmt":"2024-04-11T21:36:34","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80110"},"modified":"2024-04-11T16:36:34","modified_gmt":"2024-04-11T21:36:34","slug":"six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/11\/six-year-old-bug-will-likely-live-forever-in-lenovo-intel-products\/","title":{"rendered":"Six-year old bug will likely live forever in Lenovo, Intel products"},"content":{"rendered":"