Lenovo is under fire again after researchers found three high-severity vulnerabilities in the Chinese PC maker’s system update – one of which could allow remote hackers to replace trusted applications on machines with malicious ones.
IOActive claimed that CVE-2015-2233 affected Lenovo System Update versions 5.6.0.27 and earlier.
It allows remote hackers to take advantage of the fact that Lenovo doesn’t fully verify executables which System Update downloads from the internet and runs. They can do this via a classic “coffee shop” style man-in-the-middle (MITM) attack.
IOActive explained:
“When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”
Lenovo released an update on 1 April which validates the CA chain, fixing the flaw.
“Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them,” it said in a statement.
Users will be automatically prompted to install the updated version of the program when the app is run, or they can manually update System Update as explained here.
The update also fixes two other high-severity flaws discovered by IOActive.
CVE-2015-2219 allows a local least privileged user to run commands as a System user; while CVE-2015-2234 allows local unprivileged users to run commands as an administrative user.
Kevin Bocek, vice president of security, strategy and threat intelligence at Venafi, argued that the system of trust that keeps the internet running safely is “very fragile.”
“Lenovo is certainly not alone in their inability to properly validate digital certificates – this is just the tip of the iceberg. And as this vulnerability shows, if you can compromise certificates, other security controls break down,” he added.
“Using keys and certificates attempted to solve the first security problems on the internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”
The news comes just a few months after Lenovo became embroiled at the center of an adware storm after it emerged that the firm’s pre-loaded Superfish software used fake, self-signed root certificates – a practice which could have allowed hackers to launch MITM attacks against users without their knowledge.