A vulnerability in a popular open-source web server that was quietly patched six years ago means several end-of-life big-name servers will likely always be vulnerable to the bug, according to cybersecurity firm Binarly.
The vulnerability in question affects Lighttpd, a popular open source web server product known for its flexibility and low resource cost. It is often used in enterprise software, data centers and cloud service providers. A series of events that highlight the complexity of securing open source software and the complicated supply chain for enterprise products means that several widely used products produced by these companies are likely to contain a vulnerable version of Lighttpd for the foreseeable future.
Lighttpd developers patched the bug in 2018, but did not announce or assign a CVE to notify users of the security update, Binarly said in a report published Thursday. American technology company Megatrends International relies on Lighttpd in a piece of firmware known as AMI MegaRAC, but the company never updated its instance of Lighttpd to address the vulnerability. This allowed a version of AMI MegaRAC containing a vulnerable version of Lighttpd to be included in a number of widely used Intel and Lenovo products.
Worse, several of the affected products just reached end-of-life earlier this year, meaning that so far no vendor will update their products with a security fix.
Alex Matrosov, co-founder and CEO of Binarly, calls vulnerabilities like these “eternal bugs” because of their long-term impact and says they pose “huge” problems for open source projects. Matrosov said his company has found more than 2,000 devices containing the Lighttpd vulnerability, but he believes the true impact is likely much greater. Combined with other bugs, the vulnerability could lead to a buffer overflow attack, Matrosov said.
A Lenovo spokesperson said the company is “aware of the AMI MegaRAC concerns identified by Binarly” and is working to determine the “impact on Lenovo products.” An Intel spokesperson said that “the affected device is currently at end-of-life, which means that no functional, security or other updates will be available.”
AMI did not immediately respond to requests for comment, nor did the Lighttpd developers.
It appears that the Lighttpd developers only mentioned the security update in a GitHub commit. But while open source developers may not have created the CVE, it appears that AMI hasn’t updated its instance of Lighttpd since at least 2018, when the code was updated with a security patch.
Binarly’s report highlights a problem that has become a growing concern for the Biden administration, especially after the discovery of the Log4Shell flaw.
The administration is examining how to work with the developer community to secure open source software in advance. Major vendors have long used open source software, and while some help develop or contribute resources, there are still a large number of developers who work with little help to maintain widespread software.
In recent weeks, a researcher discovered a cunningly designed backdoor inserted into a popular piece of open source software designed to provide powerful espionage capabilities. Experts described the incident as a near-averted disaster.