Lenovo's update tool contained serious backdoor

Lenovo has fixed three serious security issues in its included update tool. Through the, meanwhile fixed, vulnerabilities an attacker could execute its own code on a system using the update tool. The security issues were discovered by IOActive that reported the issues to Lenovo in February. The issues have now been fixed and IOActive has disclosed details on the leaks.

LenovoLogo

ADVERTISEMENT

Affected systems are all Lenovo ThinkPad, ThinkCentre and ThinkStation models and also Lenovo V/B/K/E series computers. All of the vulnerabilities were in a tool that Lenovo uses to update its own included software. The tool didn't properly check whether the downloaded software was actually coming from Lenovo. It failed to do so on 3 occasions during the update process. An attacker could use e.g. a fake Wifi access point to inject its own code which then was executed as an administrator.

According to IOActive the leak is very dangerous. Users can now update to a safer version of the update tool, but IOActive recommends users to update manually and not use automatic update feature of the update tool because of the security issues. Lenovo also recommends users to update.

It's the second time in several months that software from Lenovo causes security issues for users. Earlier this year it became known that Lenovo shipped Superfish adware that injects advertisements in websites. To make it possible to inject ads in HTTPS sites, the Superfish adware shipped with a false SSL certificate. With that certificate all sites were encrypted allowing an attacker to eavesdrop on HTTPS traffic of users with the adware installed.

ADVERTISEMENT

No posts to display