Lenovo Warns of ThinkPad Bugs, One Unpatched

lenovo thinkpad security update

The notebook maker is warning users of three separate vulnerabilities.

Dozens of Lenovo’s flagship ThinkPad models are vulnerable to bugs ranging in severity from low to high. Two of the flaws are tied to industry-wide security bulletins, while a medium-severity flaw affects only Lenovo laptops but remains unpatched.

The most severe of the three bugs is a high-severity Bluetooth vulnerability (CVE-2019-9506) disclosed on Tuesday by Microsoft as part of its August security patch roundup. The flaw is described as an “encryption key negotiation of Bluetooth vulnerability” that could allow a nearby attacker to perform an information-disclosure or an escalation-of-privileges attack, according to a U.S. Computer Emergency Readiness Team (US-CERT) description.

The flaw is tied to the way the short-range Bluetooth radio technology encrypts its end-to-end communications for security and privacy.
“An unauthenticated, adjacent attacker can force two Bluetooth devices to use as low as 1 byte of entropy. This would make it easier for an attacker to brute force as it reduces the total number of possible keys to try, and would give them the ability to decrypt all of the traffic between the devices during that session,” according to a CERT bulletin.

On Tuesday, the computer-maker also revealed a medium-severity Lenovo-specific bug (CVE-2019-6171) that creates conditions ripe for a privilege-escalation attack. Generically, an escalation of privileges (EoP) attack allows an adversary to exploit a software bug to gain elevated access to computer resources, otherwise protected from an application or user. This type of access could allow an adversary to gain access to restricted data, change configuration settings, plant malware or essentially take control of a targeted system.

“A vulnerability was reported in older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the embedded controller with unsigned firmware,” Lenovo said of the bug, which affects ThinkPads sold within the 2015-to-2016 timeframe (including ThinkPad Yoga, ThinkPad A series, ThinkPad E series and ThinkPad X series).

Lenovo has not issued any patches for this vulnerability, however is targeting Sept. 20 as the release date for a fix. Mitigation will include updating the BIOS of effected systems.

Lenovo is also warning of an industry wide low-risk vulnerability (CVE-2019-0128) in the Intel chipset device software. “A potential security vulnerability in the Intel Chipset Device Software (INF Update Utility) may allow escalation of privilege,” wrote Lenovo.

Lenovo products impacted include models of its business-class ThinkServers and a small number of ThankPad laptops.

“Improper permissions in the installer for Intel Chipset Device Software (INF Update Utility) before version 10.1.1.45 may allow an authenticated user to escalate privilege via local access,” Intel wrote in its bulletin posted earlier this year.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles