Lenovo Systems Update A Possible Security Risk

On Wednesday, May 5th, 2015, Lenovo announced a pretty sever vulnerability in their Lenovo System Update application. Security firm IOActive appears to have been the first company to report the vulnerabilities in Lenovos system update file. IOActive published a report titled “Lenovos System Update Uses a Predictable Security Token” that discusses how the vulnerabilities could allow hackers to bypass validation checks, and replace legitimate Lenovo applications with malicious programs and allow hackers to remotely run programs.

Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions.

As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user.

IOActive discovered the vulnerabilities back in February, but only just went public in order to give the Lenovo time to fix the issue and release a patch.The good news here is thatLenovo has already released a new version of the Lenovo System Update software last month that addresses these vulnerabilities. If your Lenovo system is running System Update 5.6.0.27 or earlier you should update your system as soon as possible as you are still venerable.

Lenovo is off to a bad year when it comes to security issues. It was just a few months ago when Lenovo was caught shipping its laptops with “Superfish” adware.