Hard-coded Password Lets Attackers Bypass Lenovo's Fingerprint Scanner

Discussion in 'Lenovo' started by Dr. AMK, Jan 30, 2018.

  1. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,607
    Messages:
    1,172
    Likes Received:
    2,562
    Trophy Points:
    181
    Hard-coded Password Lets Attackers Bypass Lenovo's Fingerprint Scanner
    Monday, January 29, 2018 Wang Wei
    [​IMG]
    Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users.

    Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint.

    In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.


    According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, that made the software accessible to all users with local non-administrative access.

    "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said in its advisory, giving brief about the vulnerability.

    The vulnerability impacts Lenovo ThinkPad, ThinkCentre and ThinkStation laptops, and affects more than two dozen Lenovo ThinkPad models, five ThinkStation Models and eight ThinkCentre models that run Windows 7, 8 and the 8.1 operating systems.

    Here's the full list of Lenovo devices compatible with Fingerprint Manager Pro and impacted by the vulnerability:

    • ThinkPad L560
    • ThinkPad P40 Yoga, P50s
    • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
    • ThinkPad W540, W541, W550s
    • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
    • ThinkPad X240, X240s, X250, X260
    • ThinkPad Yoga 14 (20FY), Yoga 460
    • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
    • ThinkStation E32, P300, P500, P700, P900
    Lenovo has credited security researcher Jackson Thuraisamy with Security Compass for discovering and responsibly reporting the vulnerability.


    The popular Chinese computer manufacturer strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro version 8.01.87 or later to address the issue. You can also head on to the company's official website to do so.

    Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.
     
    Vasudev, Papusan and Arrrrbol like this.
  2. User32

    User32 Notebook Consultant

    Reputations:
    2
    Messages:
    213
    Likes Received:
    47
    Trophy Points:
    41
    Thank god, it's only the trash tier ThinkPads who have this exploit.

    Good thing my T2x's and X3x's are before the backdoor era.
     
    Vasudev, Arrrrbol and Dr. AMK like this.
  3. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,607
    Messages:
    1,172
    Likes Received:
    2,562
    Trophy Points:
    181
    LENOVO FIXES HARDCODED PASSWORD FLAW IMPACTING THINKPAD FINGERPRINT SCANNERS
    [​IMG]

    PC maker Lenovo issued a fix for a hardcoded password flaw impacting ThinkPad, ThinkCentre and ThinkStation laptops. The flaw affects nearly a dozen Lenovo laptop models that run versions of Microsoft Windows 7, 8 and the 8.1 operating system.

    The vulnerability was disclosed by Lenovo on Thursday who also offered a patch to fix affected systems.
    “Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed,” according to Mitre’s Common Vulnerabilities and Exposures description of the vulnerability (CVE-2017-3762).

    Lenovo credited Jackson Thuraisamy, a senior security consultant with Security Compass, for finding and disclosing the flaw.

    Mitigation includes updating Lenovo’s Fingerprint Manager Pro to version 8.01.87 or later. Lenovo laptops running Windows 10 are not impacted by the flaw because that version of Microsoft’s operating system natively supports fingerprint reader technology.

    Lenovo is urging users of the following laptops to update their Lenovo Fingerprint Manager Pro version to 8.01.87 or higher.

    • ThinkPad L560
    • ThinkPad P40 Yoga, P50s
    • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
    • ThinkPad W540, W541, W550s
    • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
    • ThinkPad X240, X240s, X250, X260
    • ThinkPad Yoga 14 (20FY), Yoga 460
    • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
    • ThinkStation E32, P300, P500, P700, P900
     
    Last edited: Feb 5, 2018
    Vasudev likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,784
    Messages:
    16,624
    Likes Received:
    20,431
    Trophy Points:
    931
    It's amazing how Lenovo keeps slipping up in just the same way, leaving their customers with insecure laptops, so often and in so many ways. :)

    That must be why the US banned sale of Lenovo servers and laptops into secure sites, and why the military stopped buying them too.

    Maybe if Lenovo hardware is not secure enough for those bright folk, it's isn't a good buy for us either?

    https://www.google.com/search?q=len...rome..69i57.5609j0j7&sourceid=chrome&ie=UTF-8
     
    Vasudev and Dr. AMK like this.
  5. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,607
    Messages:
    1,172
    Likes Received:
    2,562
    Trophy Points:
    181
    Yes, my friends in the US military sector and Boeing, told me that they depend in another particular brand now, no Lenovo any more.
     
    hmscott likes this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,784
    Messages:
    16,624
    Likes Received:
    20,431
    Trophy Points:
    931
    It looks like the DOD and FTC are reissuing the warnings and bans against Lenovo and other Chinese companies, along with other agencies, for 2018:

    DOD Issues Cybersecurity Warning Against Lenovo Computers, Handheld Devices
    https://www.fedmanager.com/index.ph...ing-against-lenovo-computers-handheld-devices

    Lenovo banned from installing bloatware on its laptops after Superfish
    http://www.itpro.co.uk/desktop-hardware/29396/lenovo-settles-superfish-spyware-lawsuit-for-35m
    https://www.theinquirer.net/inquire...ware-onto-its-laptops-after-superfish-scandal

    Same for Huawei:

    New bill seeks to ban Huawei from any US government contracts
    https://www.engadget.com/2018/01/13/bill-ban-huawei-us-government-contracts/
     
    Last edited: Feb 5, 2018
    Vasudev and Dr. AMK like this.
  7. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,607
    Messages:
    1,172
    Likes Received:
    2,562
    Trophy Points:
    181
    This is really bad. It seems there is a hidden war is just started.
     
    Vasudev likes this.
  8. fire3element

    fire3element Notebook Consultant

    Reputations:
    23
    Messages:
    107
    Likes Received:
    41
    Trophy Points:
    41
    Could be worse. At least it's not as easy as hitting backspace 28 times to log in. /s
     
    Vasudev, hmscott and Dr. AMK like this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,784
    Messages:
    16,624
    Likes Received:
    20,431
    Trophy Points:
    931
    Last edited: Feb 6, 2018
    Vasudev and Dr. AMK like this.
Loading...

Share This Page