SlideShare ist ein Scribd-Unternehmen logo

Lenovo Accused Of ‘Massive Security Risk’ By Researchers

Waqas Amir
Waqas Amir

Lenovo has been accused of running a "massive security risk" after researchers found flaws in its software, according to Hackread.com: https://goo.gl/tTvX1k

Technologie
1 von 6
Downloaden Sie, um offline zu lesen
©2015 IOActive, Inc. All Rights Reserved [1] IOActive Security Advisory Title Lenovo’s System Update Uses a Predictable Security Token Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2219 Advisory Date April 14, 2014 Affected Product Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local least-privileged users to run commands as the SYSTEM user. Background The Lenovo System Update allows least privileged users to perform system updates. To do this, the System Update includes the System Update service (SUService.exe). This service runs privileged as the SYSTEM user and communicates with the System Update which is running as the unprivileged user. The service creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Technical Details Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user. Fixes Lenovo has released an updated version, which replaces the token authentication method, and is available through the System Update.
©2015 IOActive, Inc. All Rights Reserved [2] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notified vendor  April 3, 2015: Vendor released patch  April 14, 2015: IOActive & Vendor advisory published
©2015 IOActive, Inc. All Rights Reserved [3] IOActive Security Advisory Title Lenovo’s System Update Signature Validation Errors Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2233 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks. Background The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. Technical Details When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user. Fixes Lenovo has released an updated version, which validates the CA chain, and is available through the System Update.
©2015 IOActive, Inc. All Rights Reserved [4] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notifies vendor  April 3, 2015: Vendor releases patch  April 14, 2015: IOActive & Vendor publish advisory
©2015 IOActive, Inc. All Rights Reserved [5] IOActive Security Advisory Title Lenovo’s System Update Race Condition Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2234 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local unprivileged users to run commands as an administrative user. Background The System Update downloads executables from the Internet runs them. The System Update does check for a signature before running them, but does so in a directory writable by any user. Technical Details As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable. A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified. An attacker can use this to gain elevated permissions. Fixes Lenovo has released an updated version, which changes how downloaded files are stored. It is available through the System Update. Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015 : IOActive notifies vendor
©2015 IOActive, Inc. All Rights Reserved [6]  April 3, 2015 : Vendor releases patch  April 14, 2015 : IOActive & Vendor publish advisory

Empfohlen

Government resources
Government resourcesGovernment resources
Government resources
Waqas Amir
 
Pakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillancePakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillance
Waqas Amir
 
Unpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US NavyUnpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US Navy
Waqas Amir
 
Police can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules CourtPolice can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules Court
Waqas Amir
 
Boeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: ReportBoeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: Report
Waqas Amir
 
Big brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-webBig brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-web
Waqas Amir
 
Reserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgeryReserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgery
Waqas Amir
 
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015
Waqas Amir
 

Empfohlen

Government resources
Government resourcesGovernment resources
Government resources
Waqas Amir
 
Pakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillancePakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillance
Waqas Amir
 
Unpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US NavyUnpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US Navy
Waqas Amir
 
Police can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules CourtPolice can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules Court
Waqas Amir
 
Boeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: ReportBoeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: Report
Waqas Amir
 
Big brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-webBig brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-web
Waqas Amir
 
Reserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgeryReserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgery
Waqas Amir
 
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015
Waqas Amir
 
Woman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWoman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hack
Waqas Amir
 
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyUs in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Waqas Amir
 
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportChild Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
Waqas Amir
 
Sherman testimony
Sherman testimonySherman testimony
Sherman testimony
Waqas Amir
 
Android App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsAndroid App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion Campaigns
Waqas Amir
 
Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2
Waqas Amir
 
Adiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyAdiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technology
Waqas Amir
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutes
Waqas Amir
 
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtStingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Waqas Amir
 
FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.
Waqas Amir
 
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
Waqas Amir
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
Waqas Amir
 
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
Waqas Amir
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Waqas Amir
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Waqas Amir
 
Court ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookCourt ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebook
Waqas Amir
 
hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.
Waqas Amir
 
Fbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedFbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealed
Waqas Amir
 
Monsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedMonsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affected
Waqas Amir
 
Nsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedNsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebutted
Waqas Amir
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 

Weitere ähnliche Inhalte

Mehr von Waqas Amir

Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Waqas Amir
 

Mehr von Waqas Amir (20)

Woman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWoman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hack
 
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyUs in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
 
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportChild Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
 
Sherman testimony
Sherman testimonySherman testimony
Sherman testimony
 
Android App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsAndroid App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion Campaigns
 
Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2
 
Adiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyAdiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technology
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutes
 
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtStingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
 
FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.
 
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
 
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
 
Court ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookCourt ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebook
 
hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.
 
Fbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedFbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealed
 
Monsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedMonsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affected
 
Nsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedNsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebutted
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Kürzlich hochgeladen (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Lenovo Accused Of ‘Massive Security Risk’ By Researchers

  • 1. ©2015 IOActive, Inc. All Rights Reserved [1] IOActive Security Advisory Title Lenovo’s System Update Uses a Predictable Security Token Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2219 Advisory Date April 14, 2014 Affected Product Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local least-privileged users to run commands as the SYSTEM user. Background The Lenovo System Update allows least privileged users to perform system updates. To do this, the System Update includes the System Update service (SUService.exe). This service runs privileged as the SYSTEM user and communicates with the System Update which is running as the unprivileged user. The service creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Technical Details Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user. Fixes Lenovo has released an updated version, which replaces the token authentication method, and is available through the System Update.
  • 2. ©2015 IOActive, Inc. All Rights Reserved [2] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notified vendor  April 3, 2015: Vendor released patch  April 14, 2015: IOActive & Vendor advisory published
  • 3. ©2015 IOActive, Inc. All Rights Reserved [3] IOActive Security Advisory Title Lenovo’s System Update Signature Validation Errors Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2233 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks. Background The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. Technical Details When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user. Fixes Lenovo has released an updated version, which validates the CA chain, and is available through the System Update.
  • 4. ©2015 IOActive, Inc. All Rights Reserved [4] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notifies vendor  April 3, 2015: Vendor releases patch  April 14, 2015: IOActive & Vendor publish advisory
  • 5. ©2015 IOActive, Inc. All Rights Reserved [5] IOActive Security Advisory Title Lenovo’s System Update Race Condition Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2234 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local unprivileged users to run commands as an administrative user. Background The System Update downloads executables from the Internet runs them. The System Update does check for a signature before running them, but does so in a directory writable by any user. Technical Details As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable. A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified. An attacker can use this to gain elevated permissions. Fixes Lenovo has released an updated version, which changes how downloaded files are stored. It is available through the System Update. Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015 : IOActive notifies vendor
  • 6. ©2015 IOActive, Inc. All Rights Reserved [6]  April 3, 2015 : Vendor releases patch  April 14, 2015 : IOActive & Vendor publish advisory