Updated: PC maker Lenovo exposes users to "massive security risk"

News by Tim Ring

World number one PC maker Lenovo has been accused of running a "massive security risk" because flaws in its online product update service allow hackers to download malware onto its users' systems through a man-in-the-middle (MiTM) attack.

The problems have been revealed by security firm IOActive – just weeks after Lenovo was found to be shipping PCs with pre-installed ‘Superfish' adware that also left its users open to MITM attacks.

IOActive researchers Michael Milvich and Sofiane Talmat say in an advisory that they discovered the latest “high-severity” privilege escalation vulnerabilities in Lenovo's System Update service, which enables users to download the latest drivers and other software, including security patches, from Lenovo's website.

The researchers found the flaws in February, and have now gone public on them after giving Lenovo time to develop a patch, issued last month.

But while the patch fixes the problems, users have to download the security update to protect themselves.

Milvich and Talmat say that one of the vulnerabilities, CVE-2015-2233, allows local and remote hackers to bypass the device's signature validation checks and replace trusted Lenovo applications with malware.

Another bug, CVE-2015-2219, is a weakness in Lenovo's security token system, which means least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programs.

“Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk,” the researchers say.

A third flaw, CVE-2015-2234, allows local unprivileged users to run commands as an admin user.

The problems affect Lenovo System Update and earlier versions.

The researchers explain that with CVE-2015-2233: “The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables.

“Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”

Lenovo, based in China and North Carolina USA, is the world's largest PC manufacturer and began evolving from a Chinese-only company when it acquired IBM's global PC business 10 years ago.

But the company has been plagued by security problems in recent months and the latest privilege escalation flaws have drawn criticism from independent cyber-security experts.

John Walker, director of security services firm ISX and a visiting professor at Nottingham-Trent University, told SCMagazineUK.com: “What we're looking at here is a world-reputable organisation that has clearly deployed a facility that is not fit for purpose, nor robust.

“Hackers these days are saying ‘you know what, if you want to hack something, don't think of anything new, use the systems and mechanisms that are there already'.

“Hackers can see here a way of getting into something that is clearly not tied down, and it's an ideal way of delivering potentially thousands of Trojans into corporate environments.”

TK Keanini, CTO of Lancope, told SCMagazineUK.com via email: “Lenovo ships a suite of software to help the user with administration and ease of use. All software may contain vulnerabilities and all software needs to be maintained in the face of an active threat.

“The problem is that people need to update these computers. It is not enough for Lenovo just to make it available. Enterprises running this brand of products need to ensure that their users have patched via any means possible.”

Sofiane Talmat, a senior security consultant for IOActive, confirmed to SCMagazineUK.com that Lenovo has patched the problems, but that users have to download the latest version of the Update software to be secure.

in an email to SC, Lenovo responded to the claims, issuing a statement saying:  "Lenovo's development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of Lenovo System Update on April 1st, which resolves these vulnerabilities. We subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.  Existing installations of Lenovo System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory.  Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews