Hackers Could Get At ThinkPad, Other Devices: Lenovo Discloses Second Vulnerability This Year
Just months after Lenovo was criticized for a browser add-on commonly called Superfish, the vendor disclosed another vulnerability, which could have allowed hackers to replace legitimate apps with malicious ones.
Machines affected include ThinkPad, ThinkCentre, ThinkStation and the Lenovo V/B/K/E Series.
The vulnerability was discovered by security researchers at IOActive, and an advisory and patch were released April 14, according to a Lenovo post Wednesday. The advisory detailed three vulnerabilities affecting an update of Lenovo System Update, previously known as ThinkVantage System Update: allowing least-privileged users to perform system updates, not checking downloaded executables from the Internet before running, and a flaw that had the potential to allow local and remote hackers to replace trusted apps with malicious ones using a "man-in-the-middle" attack.
[Related: Lenovo Criticized For Dangerous Superfish Adware On Consumer Laptops]
Lenovo ranked the vulnerability as "medium" on its severity scale. Other vendors that announced at least one similarly or higher-ranked vulnerability this year include Hewlett-Packard, Adobe, Cisco, Microsoft and IBM.
On Wednesday, Lenovo said that it had worked with IOActive to remedy the vulnerability findings, releasing a patch for the problem. The vendor recommended that all users update to eliminate the vulnerability issue, by installing version 5.06.0034 or later.
"Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," the company said in the Wednesday post announcing the patch. Lenovo declined to comment further when contacted by CRN.
Jamie Murdock, chief information security officer at Hudson, Ohio-based Binary Defense Systems, said a hardware vulnerability is a much more serious security risk than those affecting operating systems or third-party applications. As a service provider, Murdock said, he will be communicating with his client base with details about the vulnerability and how to manually patch it.
"One of the biggest security issues with that is, it's not an operating system vulnerability. ...This is something that comes from a hardware distributor, so it's very dangerous when you have a manufacturer that has a significant vulnerability like that, because that affects the platform directly outside of just using updates," Murdock said.
Murdock said this second vulnerability will "absolutely" be a reputation hit on the vendor from a security perspective.
"When you have something like that happen, it’s a huge hit to your brand and your image," Murdock said. "That is definitely going to affect their brand. It's not that it's going to be something that will put them out of business, people will still use Lenovo laptops, but, just like anything else in business, it's, what's the risk, and how much risk can we assume on this? ... In my case, the reason I would not do it is because we're a security provider."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said in an email that the patch underscores the "system of trust" in the industry, a challenge he says faces more vendors than just Lenovo. He said it underscores the importance of having secure keys and certificates.
"As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected. ... But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously," Bocek said in an email.
PUBLISHED MAY 6, 2015