Lenovo Patches Vulnerabilities in System Update Service

Lenovo has patched two serious vulnerabilities in Lenovo System Update that can allow hackers elevate privileges and guess admin passwords.

Lenovo has patched two serious vulnerabilities that hackers could abuse in targeted attacks, or at scale, to easily guess administrator passwords on a compromised device, or elevate privileges to Windows SYSTEM user.

The vulnerabilities were patched last Thursday by the manufacturer and details were disclosed Tuesday by researchers at IOActive, who privately reported the flaws in October.

Both vulnerabilities were found in Lenovo System Update version 5.07.0013, which fetches updates from Lenovo support.

According to an advisory from IOActive, an attacker can elevate to admin privileges on a Lenovo computer by taking advantage of a weakness in a password-generation algorithm to guess the username and password of a temporary administrator account.

Researcher Sofiane Talmat told Threatpost that an attack would be successful only if the first strong password generation algorithm fails. System Update then falls back to an easier, reproducible algorithm that can be exploited by a hacker who would need to know only the time when the password generated and the execute the same sequences of the generation algorithm.

“The attacker will only need to know the time when the account was created. It can be approximately taken from Users folder where the new administrator folder is created by taking the folder creation time,” Talmat said. “It is easy to brute force and generate a set of passwords within a couple of seconds.

“Since the account is not deleted until Lenovo System Updates application is closed by the user, an attacker can run the application and take all his time to regenerate the correct password,” he said.

Talmat said an attacker could also try to cause the app to fail using the first algorithm and force it to use the second in order to produce a predictable password.

“An attacker can either run the password generation algorithm in parallel of the execution of System Update application for a couple of seconds or just take the creation time of the admin folder under c:\Users\tvsu_tmp_xxxxxXXXXX and reproduce the password generation during that time window to generate a set of passwords,” Talmat said. “In case the application fails to generate a strong password and fails back to the predictable algorithm, the attacker could use his set of generated passwords against the account and find the correct one.”

The second vulnerability was also found in Lenovo System Update, which IOActive said in its advisory allows least-privileged users to perform system updates. The system creates a temporary admin account and initiates a GUI application called Tvsukernel.exe. The temporary account is deleted once the application is closed, but the GUI app maintains links to online support and help topics that, if clicked, start a browser instance under the temporary account. An attacker can take advantage of this to elevate privileges.

“This is a very easy privilege escalation attack that requires access to the machine. An attacker that has a physical access or any other remote access to the machine through a malware or any other means, will only have run the Lenovo System Update and use the couple of Help and Privacy links to fire up an instance of web navigator running under administrative privileges,” Talmat said. “The attacker would then just use that instance if Internet Explorer or any other web browser to gain system or Administrator privileges on the machine.”

Talmat said an attacker could use that instance to download and save malicious code on the machine with Administrative Privilege.

“The risk is that an attacker can elevate his privileges and bypass user limitations access which is very common on corporate and critical networks – this will make the attacker an administrator on the machine where he can attack, change or disable any components such as AVs, firewals, install malwares, rootkits, etc … the possibilities are limitless,” Talmat said.

Suggested articles

Threatpost News Wrap, September 29, 2017

The macOS Keychain attack, Signal’s new private contact discovery service, the Deloitte hack, and a handful of mobile stock trading app vulnerabilities are discussed.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.