Six-year old bug will likely live forever in Lenovo, Intel products

A report from Binarly finds that a silently patched bug in a popular web server will likely live on in several major end-of-life products.
Aisle with messy cables in a server room. (Getty Images)

A vulnerability in a popular open-source web server that was silently patched six years ago means that several end-of-life servers from major brands will likely always be vulnerable to the bug, according to the cybersecurity firm Binarly.

The vulnerability in question impacts Lighttpd, a popular open-source web server product known for its flexibility and low resource cost. It’s frequently used in enterprise software, data centers, and by cloud providers. A series of events highlighting the complexity of securing open-source software and the complicated supply chain for enterprise products means that a handful of widely used products made by these companies will likely contain a vulnerable version of Lighttpd for the foreseeable future.  

Lighttpd’s developers patched the bug in 2018 but did not announce or assign a CVE that would have let users know of the security update, Binarly said in a report issued Thursday. The tech company American Megatrends International relies on Lighttpd in a piece of firmware known as AMI MegaRAC, but the firm never updated its instance of Lighttpd to address the vulnerability. That allowed a version of AMI MegaRAC containing the vulnerable version of Lighttpd to be included in a series of widely used Intel and Lenovo products. 

What’s worse, several of the affected products have just reached end-of-life earlier this year, meaning that as of now none of the vendors will update their products with the security fix.


Alex Matrosov, the co-founder and CEO of Binarly, calls vulnerabilities like these “forever bugs” due to their long-lasting impact and said they pose “massive” issues for open-source projects. Matrosov said his firm found more than 2,000 devices containing the Lighttpd vulnerability, but believes the true impact is likely much larger. In concert with other bugs, the vulnerability could lead to buffer overflow attacks, Matrosov said.

A spokesperson for Lenovo said the company is “aware of the AMI MegaRAC concern identified by Binarly” and is working to identify “impacts to Lenovo products.” An Intel spokesperson said that “the affected device is currently end-of-life, meaning no functional, security, or other updates will be provided.”

AMI did not immediately respond to requests for comment.

Lighttpd’s developers appear to have only mentioned the security update in a commit on GitHub. But while the open-source developers may not have created a CVE, AMI also does not appear to have updated its instance of Lighttpd since at least 2018, when the code was updated with the security fix.

Lighttpd developer Glenn Strauss said that vendors and users should test and update the program if they want to have the latest features, which include security updates.


“The criticism of lighttpd for not filing a CVE for every bug has some merit but is misplaced,” Strauss said in a statement. “Have the journalists levelling this criticism verified that vendors track CVEs and have upgraded lighttpd after lighttpd published other CVEs?”

Strauss also said that many vendors have not upgraded lighttpd even after they published other CVEs.

Binarly’s report highlights an issue that has become a growing concern for the Biden administration, especially after the discovery of the Log4Shell bug. 

The administration is examining how to work with the developer community to better secure open-source software out of the box. Major vendors have long used open-source software and while some do assist in development or contribute resources, there are still a large number of developers working with little help to maintain widely deployed software. 

In recent weeks, a researcher discovered a cunningly designed backdoor inserted in a popular piece of open-source software designed to provide powerful espionage capabilities. Experts described that incident as a narrowly averted catastrophe.


This story was updated April 15, 2024, with comments from Lighttpd developer Glenn Strauss.

Latest Podcasts