Researchers have discovered three major security flaws in Lenovo’s update system that could be exploited to install malware on users’ systems. The vulnerabilities were discovered by researchers at security firm IOActive back in February.
The researchers found that one of the vulnerabilities allows both local and remote attackers to bypass signature validation checks and replace trusted Lenovo applications with malicious applications, while the other two flaws allow attackers to gain a greater level of control over a system than they should have, letting them run malware as a system user.
The security flaws are present in Lenovo System Update 5.6.0.27 and earlier versions and is said to affect all ThinkPad, ThinkCenter and ThinkStation products as well as B, E, K and V-series systems.
“Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute,” wrote researchers Michael Milvich and Sofiane Talmat.
“Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions.”
Fortunately for Lenovo, IOActive has only revealed them now, after the PC maker has already patched its update system.
Acknowledging the issue, Lenovo in a statement said “Lenovo’s development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of System Update on April 1st which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.”
“Existing installations of System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.”
The PC manufacturer has advised all its users to keep their machines as up to date as possible, adding, “In general, Lenovo encourages its users to keep their systems up to date by allowing automatic updates to run when prompted.”
Earlier this year, Lenovo came under fire following reports that it shipped laptops pre-installed with a ‘horrifically dangerous’ software ‘Superfish’ that tracked users every move online and rendered the computers vulnerable to hackers.
