Vulnerability in Lenovo Devices Allows Attacker to Bypass Fingerprint Authentication and Gain Higher Privileges.
In case you own a ThinkCentre, ThinkPad or ThinkStation system manufactured by Lenovo, then we suggest that you immediately install an important security fix so as to prevent the vulnerability that bypasses encoded fingerprint data with a hardcoded password.
Categorized as CVE-2017-3762, the vulnerability was discovered by Security Compass’s Jackson Thuraisamy after locating a weak algorithm that affected the Lenovo Fingerprint Manager Pro utility for Windows versions 7, 8 and 8.1, which allows users to log-in to their devices through configured websites using fingerprint authentication process.
This utility is used for storing a broad range of data such as login credentials for Windows. Due to this flaw, any hardcoded password can be used to bypass fingerprint authentication feature as well as decrypt security data stored on the device.
Lenovo has issued a security advisory notice, which reads: “A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows login credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”
The systems that are believed to be affected by this vulnerability include the following:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
The vulnerability is rated ‘high severity’ since an attacker who manages to exploit it can easily obtain higher privileges on the device. In order to mitigate the threat, users must upgrade to Fingerprint Manager Pro version 8.01.87 or higher.
To read the original article: