Lenovo’s system update vulnerability allows man in the middle attacks

Lenovo is facing the heat once again as three major vulnerabilities are discovered in their system update software. This is a big blow to the Chinese PC manufacturer after Superfish, the pre-installed Lenovo adware contained a massive security flaw. This time, it’s even worse as it turns out that Lenovo’s own system update software could lead to a man in the middle (MiTM) attack.

The security flaws were discovered by IOActive who found out that Lenovo’s system update doesn’t fully verify executables downloaded from the internet. Due to this, it is possible for attackers to replace the legitimate update software with malware in a classic man in the middle scenario.

Free System privileges for everyone!

The system update software allows even the least privileged users to run the update. In order to do that the application includes a service called SUService.exe. This service runs as system user and allows any user to execute commands with higher privileges. This vulnerability present in Lenovo System Update (5.6.0.27 and earlier versions) presents a great security risk as it could allow malicious commands from an unprivileged user to be executed with system privileges, thus putting the malware in the driver’s seat. But wait, Lenovo software update must be checking the signatures of the downloaded files before running them, right? Unfortunately that is where the problem exists. As stated by IOActive:

“When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”

Thankfully though, Lenovo worked together with IOActive to release an update that addresses this issue (CVE-2015-2233). Other vulnerabilities fixed include:

• CVE-2015-2219 – allows a local least privileged user to run commands as a System user
• CVE-2015-2234 – allows local unprivileged users to run commands as an administrative user

As stated by Kevin Bocek, vice president of security, strategy and threat intelligence at Venafi:

The system of trust that keeps the internet running safely is “very fragile.”

Hopefully Lenovo and other PC manufacturers will improve security testing procedures for their software to ensure that their users are not exposed to such security risks.

Have a nice (vulnerability-free) day!