Breach Preparedness , Cybersecurity , Data Breach

Lenovo Patches Critical PC Flaws

After Superfish, Fresh Warnings Over Preinstalled Software
Lenovo Patches Critical PC Flaws

Lenovo issued an emergency patch to fix flaws in software that it preinstalls on many of its Windows PCs after security researchers warned that it contained vulnerabilities that attackers could use to remotely seize control of systems.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

The vulnerabilities affect the Lenovo System Update software - version 5.6.0.27 and before - which was previously known as ThinkVantage System Update. The Chinese PC manufacturer says the vulnerable software may be present on its ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series devices.

The flaws were discovered by IOActive security researchers Michael Milvich and Sofiane Talmat in February, after which they alerted Lenovo and helped it prepare related fixes, which Lenovo released in April. But the researchers' findings were only made public this week.

One flaw, rated critical by the IOActive researchers, centered on a "race condition," in which attackers could have System Update verify that an executable file was legitimate, and then substitute a malicious executable. "Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation," Lenovo warns in a related security advisory.

To fix the flaws, users should update to version 5.06.0034 or later of Lenovo's software, which includes related patches. "Lenovo System Update automatically checks for a [new] version whenever the application is run," the company's security advisory says. "Click OK when prompted that new version is available." Alternately, users can download updates manually.

Follows Superfish

The security alert follows revelations in February that Lenovo, which is the world's largest PC manufacturer, had been preinstalling adware called Superfish on many of its PCs. Numerous security experts warned that the adware put users at risk because of the insecure manner in which it used digital certificates to intercept and decrypt otherwise encrypted Internet traffic.

Now, security experts are expressing dismay that yet more flaws have been found in Lenovo's preinstalled software. "Lenovo has been found wanting again on the security front," information security expert Alan Woodward, a professor at Surrey University, tells the BBC. Following on the Superfish debacle, he said Lenovo was demonstrating a "lamentable record for security."

While Lenovo initially defended Superfish - as a feature - it later backed off and began working with security firms to delete the software. The manufacturer also promised that beginning with new devices running the forthcoming Windows 10 operating system it would include only essential operating system and related software, including hardware drivers, security software and Lenovo's own applications, with a spokeswoman saying they would be free from "what our industry calls 'adware' and 'bloatware.'"

Predictable Security Tokens

While Superfish adware was preinstalled on many consumer-focused Lenovo systems, the new vulnerabilities are largely present on business-oriented machines.

Furthermore, Lenovo's System Update software is powerful, in that it will execute any code that it receives, for example to update the Windows operating system. Such functionality would be useful to attackers, of course, if they could trick it into installing malicious code. If that attack was successful, then the attackers could install a backdoor, execute malware that steals data stored on the device, and take full control of the machine.

To guard against that, the System Update software requires any client that attempts to connect to the service to authenticate itself, using a security token. "Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions," the IOActive researchers say about the previous version of System Update. "As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed." Lenovo's patch, however, fixes that problem.

Another Flaw Patched

Another problem present in previous versions of the Lenovo System Update software was a failure to conduct complete security checks on executable code.

"As a security measure, Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them," the IOActive researchers said in their vulnerability warning. As before, this flaw was patched by Lenovo in April.

In particular, the Lenovo software did not fully validate the certificate authority chain. As a result, an attacker could create a fake certificate authority, use it to sign a malicious executable, and then fool the System Update software into executing it.

For example, per the "classic coffee shop attack," a related man-in-the-middle attack could be launched if the attacker was connected to the same WiFi network as a vulnerable Lenovo PC, the researchers say. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks," they add.

But protection was provisional on the Lenovo software correctly handling digital certificates, which it was not. "Lenovo - like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers - were not able to validate if certificates were from a trusted authority," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which develops software to secure and protect cryptographic keys and digital certificates. "As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide [via] encryption, and go undetected."

Again, however, Lenovo and IOActive report that all of the above flaws have now been patched.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network