Lenovo addresses insecure credential storage bug in Fingerprint Manager Pro
Lenovo addresses insecure credential storage bug in Fingerprint Manager Pro

Hardware and electronics manufacturer Lenovo disclosed an insecure credential storage vulnerability in its Fingerprint Manager Pro utility software, which can be exploited for local privilege escalation on a variety of systems.

The software, which lets device owners use fingerprint recognition to log in or authenticate to configured websites, was fixed with the 11 January release of version 8.01.87. But in prior versions, sensitive data, including logon credentials and fingerprint data, "is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed," Lenovo warned in a 25 January security advisory.

The high-severity bug, CVE-2017-3762, was discovered by Security Compass researcher Jason Thuraisamy, and applies to the following systems running on Windows 7, 8 and 8.1:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900

Also on 25 January, Lenovo released a second security update that announced a firmware fix for CVE-2017-3768, a medium-severity vulnerability in the Integrated Management Module 2, which could allow unprivileged users to trigger a denial of service condition.