Lenovo patches username/password vulnerabilities

News by Doug Olenick

Lenovo patched two vulnerabilities over the US Thanksgiving holiday that would allow a hacker to acquire administrative privileges.

Lenovo patched two vulnerabilities over the US Thanksgiving holiday that would allow a hacker to acquire administrative privileges.

IOActive reported that Lenovo System Update 5.07.001 (CVE-2015-8109) contained issues that would give an attacker the ability to more easily predict usernames and passwords of the temporary administrator account.

“Lenovo creates a random temporary Administrator account with a username that follows the template tvsu_tmp_x xxxxXXXXX where each lowercase x is a randomly generated lower case letter and each uppercase X is a randomly generated uppercase letter. A 19-byte,random password is generated via an algorithm,” IOActive said in a report.

The function that creates the random password uses a predictable algorithm allowing an attacker with knowledge of the account creation timestamp to predict the username.

IOActive recommended Lenovo owners install Lenovo System Update application (version 5.06.0043 or higher) through the system update tool.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop