Lenovo Fixes Critical Holes

Wednesday, May 13, 2015 @ 09:05 AM gHale

Lenovo patched holes that could allow an attacker to leverage the System Update service in its computers, researchers said.

Lenovo’s System Update feature downloads system updates from the Internet. The catch is though, there are vulnerabilities that could enable attackers to get in, said researchers at IOActive in an advisory.

Malware Delivers Trojan to Enterprises
Cisco Fixes Critical Vulnerability
Cisco Updates Vulnerabilities
Cisco Mitigates DoS Holes

“Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute.

“Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions,” IOActive researchers said in an advisory.

The second issue has to do with signature validation issues. If left unpatched, local and remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious ones. In this case, Lenovo failed to validate the certificate authority (CA) chain, allowing an attacker to potentially create a fake CA and use it to create a fraudulent code-signing certificate.

“Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable,” the advisory said. “The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks.”

The third flaw allows local unprivileged users to run commands as administrators. While the System Update checks for a signature before running executables downloaded from the Internet, it does so in a directory that is writeable by any user.

Lenovo patched the three vulnerabilities in April.

Leave a Reply

You must be logged in to post a comment.