Lenovo patched two vulnerabilities over the US Thanksgiving holiday that would allow a hacker to acquire administrative privileges.
IOActive reported that Lenovo System Update 5.07.001 (CVE-2015-8109) contained issues that would give an attacker the ability to more easily predict usernames and passwords of the temporary administrator account.
“Lenovo creates a random temporary Administrator account with a username that follows the template tvsu_tmp_x xxxxXXXXX where each lowercase x is a randomly generated lower case letter and each uppercase X is a randomly generated uppercase letter. A 19-byte,random password is generated via an algorithm,” IOActive said in a report.
The function that creates the random password uses a predictable algorithm allowing an attacker with knowledge of the account creation timestamp to predict the username.
IOActive recommended Lenovo owners install Lenovo System Update application (version 5.06.0043 or higher) through the system update tool.