Still reeling from the Superfish vulnerability, three more serious vulnerabilities have been patched and disclosed in Lenovo’s update system for its PCs.
Researchers at IOActive yesterday disclosed details on a trio of security issues related to the mechanism by which Lenovo machines are sent security and feature updates; Lenovo is the world PC leader, according to Gartner, with almost 20 percent of market share.
The most serious of the bugs allows least privileged users to run commands as a System user in versions 220.127.116.11 and earlier of Lenovo System Update, IOActive said.
“Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute,” wrote researchers Michael Milvich and Sofiane Talmat. “Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions.”
An attacker can take advantage of the vulnerability by creating a valid token and including it along with a malicious command that will be executed by SUService.exe, IOActive said.
The second vulnerability is equally disturbing because an attacker is able to bypass signature validation, and in a man-in-the-middle position, can swap out an executable being downloaded by System Update. The mechanism is used to download trusted Lenovo applications. Despite this communication happening over SSL/TLS, IOActive’s researchers discovered that Lenovo fails to completely verify and validate the Certificate Authority chain.
“As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables,” the researchers wrote. “Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”
The final vulnerability is related to the previous one and it allows local users to run commands as an admin, taking advantage of the fact that System Update verifies signatures in a directory writeable by any user. By saving the executables in such a directory, a race condition occurs between verifying the signature and executing the malicious program, IOActive said.
“A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable,” the researchers wrote. “When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified. An attacker can use this to gain elevated permissions.”
All three vulnerabilities were reported in February and patched in early April.
“Existing installations of Lenovo System Update will prompt the user to automatically install the updated version of the program when the application is run. Alternatively, users may manually update System Update as described in the security advisory,” Lenovo said in a statement provided to Threatpost. “Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive. In general, Lenovo encourages its users to keep their systems up to date by allowing automatic updates to run when prompted.”
In February, problems were disclosed in pre-installed Superfish adware on Lenovo PCs and laptops when a researcher reported that he had cracked the password protecting the digital certificate shipped with Superfish, putting encrypted communication at risk via man-in-the-middle attacks. As it turned out, the digital certificate was the same on all Lenovo machines shipped with Superfish through January of this year.
This article was updated at 3:30 p.m. ET with a comment from Lenovo.