Softpedia >News >Security >Security Fixes and Improvements
Softpedia Homepage   

Lenovo Patches Security Holes in Its System Update Tool

Attackers could have gained access to administrator accounts

Nov 27, 2015 16:47 GMT  ·  By
Lenovo patches 2 security holes in its system update tool
   Lenovo patches 2 security holes in its system update tool

Lenovo has announced security updates to its ThinkVantage tool that comes pre-installed on all of the company's laptops. This latest update addresses two privilege escalation vulnerabilities discovered by IOActive.

ThinkVantage System Update is a software package that Lenovo says will help users save time and effort needed to always fetch the latest drivers, BIOS, and other applications for their Think or Lenovo systems.

Attackers can predict the username and password of an administrator account

IOActive researchers found two flaws in ThinkVantage 5.07.0013 that allowed attackers to spawn admin-level processes on affected devices. Both issues have the same cause, a temporary administrator account created during the installation of the ThinkVantage package, account that was never deleted afterwards.

The first issue, CVE-2015-8109, allows attackers to gain access to this temporary account. According to IOActive's team, the username and password for this account were generated using a predictable algorithm that used random characters based on the device's current time.

The username was in the form of "tvsu_tmp_xxxxxXXXXX," where x and X were randomly generated characters. If the attacker looks at the timestamp of files created during the installation process, they can determine the time when the account was created and then generate both the username's random characters and the password itself.

Admin privileges via Internet Explorer

The second issue, CVE-2015-8110, was much easier to exploit. Whenever users clicked links inside the Lenovo's help system, ThinkVantage would start an Internet Explorer instance via the temporary administrator account, granting it admin-level privileges.

"From there, an unprivileged attacker has many ways to exploit the web browser instance running under Administrator privileges to elevate his or her own privileges to Administrator or SYSTEM," said IOActive's Sofiane Talmat.

IOActive notified Lenovo at the start of the month, and the hardware maker has released ThinkVantage System Update version 5.07.0019 to fix these two issues.