Sophos Cloud Optix
Laptop megabrand Lenovo was all over the news recently thanks to a preinstalled utility called Superfish.
Lenovo’s motivation for choosing Superfish seems to have been entirely innocent, but nevertheless ended in tears, especially for Lenovo.
The program supposedly boosted the accuracy and relevance of image searches you did; in return, the company bankrolling the Superfish system could make money at the other end by putting relevant advertisers in front of you.
That’s sort of what Google and others do with their search engine, except that Superfish was preinstalled, and hooked into your browsing, making it less obvious that you were giving away search information to a third-party company in the on-line advertising industry.
But that wasn’t the really bad part.
Superfish also quietly included a module to peek inside your dealings even with encrypted websites, using the same sort of technique as security software that scans encrypted web traffic for exploits, scams, malware and more.
Unfortunately, the Superfish vendor completely botched up the cryptography, theoretically making it trivial for a well-informed crook not only to trick you into trusting a fake website, but also to trick your computer into trusting any software that you downloaded from it.
We quickly published instructions to help you get rid of Superfish, so that you no longer had to worry about any side-effects it might have; happily, Lenovo soon followed suit with removal instructions and a removal toolkit of its own.
Lessons learned; problem solved; move on.
Back in the news
Sadly for Lenovo, the company is now back in the news with another security problem, but this time it’s in the company’s own System Update software.
System update tools can be a exploiter’s dream, because they are usually designed to let an unprivileged but authorised user (i.e. you if it’s the personal laptop you bought to use at home) kick off updates without having to login as an administrator first.
That’s actually good for security if done well, for a variety of reasons:
- It makes official updates easy, so you are less inclined to put them off “until next time.”
- You can let others in your family apply updates without giving them the administrator password.
- You don’t need to login as administrator at all, which reduces your time exposed to danger.
Obviously, however, system update tools that accidentally give too much power to an unprivileged user are a bad thing, because that turns them into an Elevation of Privilege (EoP) security hole.
Unfortunately, when bug-hunters IOActive took a recent expedition into Lenovo’s System Update software, they found that it was too liberal in how much power it put in the hands of users who weren’t supposed to have it.
Simply put, Lenovo’s update service did include an authentication system that was supposed to limit accessto specific users, but the password (more correctly, what’s known as a security token – a special blob of data that is supposed to be unique) could easily be guessed.
So any user on the system could pretend to be authorised to communicate with the update service.
To make things worse, the commands that the update service could handle were of a general nature, such as “please run this command for me.”
In other words, any user, even an unprivileged one, could run any command as the SYSTEM account, simply by asking Lenovo’s System Update service politely.
Command line utilities available on every Windows computer make it easy for privileged users to do useful tasks such as changing passwords, creating accounts, altering file access permissions, opening up network shares, installing new software and much more.
But you definitely don’t want to let unprivileged users do any of those things, even if all you are worried about is accidents.
Add in the risks of users, internal or external, with malicious intent and the risks are even worse.
What to do?
This was all privately disclosed to Lenovo, and fixed before IOActive made its bulletin public.
That’s the right way to deal with holes of this sort, in our opinion.
Anyone who already knew about this hole could have exploited it anyway; those who didn’t were given a decent opportunity to fix the hole forever.
(Yes, it seems that Lenovo did indeed use System Update to patch System Update, giving a simple but tidy closure to the problem.)
NB. According to IOActive, Lenovo System Update at version 5.6.0.27 or earlier is vulnerable. If you have a later version, you should be immune to this vulnerability. You can check the version number of third-party software installed on Windows using Control Panel | Programs | Programs and Features. In the Details view, you should see the columns Name, Publisher, Installed On, Size and Version.
While I think telling Lenovo first is a good idea….. if Lenovo doesnt fix it in a reasonable amount of time I think they should have gone public before a fix was announced. But I guess that just starts a debate on how much time is reasonable
They’ve had that discussion here before on NS
For the record, Lenovo did fix it in a reasonable amount of time. Click on the screenshot of the IOActive bulletin for the full timeline. Peace with honour all round, as far as I can see,
The current version number listed in Control panel for Lenovo System Update on my Lenovo desktop is 5.06.0034 installed on 4/15/15. Can I assume that this is a later version than the 5.6.027 listed in the article since the last two numbers are 34 versus 27??
I reckon so. I don’t have a Lenovo laptop handy to test on (but if anyone wants to lend me a Yoga 3 for an “extended test period” I will happily include this update in my “extended testing” :-).
Well it did say 5.6.027 and /earlier/ so the .027 was affected.
The OP’s confusion is understandable.
Is version 5.6.0034 really greater than 5.6.027? (If you take “5” as the product release and “6.0034” as the version identifier, then *numerically* it is lower. Even if you take the whole string, it sorts *lexically* earlier.)
I assume it’s “greater than,” and I am quietly confident I am right, but it genuinely _is_ confusing. (Personally, I try to avoid leading zeros in any numeric part of a version ID.)
Unless the leading zero is a typo in the OP’s part
Or there’s a typo of a missing zero on IOActive’s part 🙂
PS I found this: http://support.lenovo.com/us/en/documents/ht080136
Readme: http://download.lenovo.com/pccbbs/thinkvantage_en/systemupdate506-03-27-2015.txt
I’m sticking to my plan of never using leading zeros in build numbers 🙂
Thank you for this information We have some newer Lenovos we have updated. But I have some older X220’s with the software 4.01.0015 and it will not updates it self as some of the newer Lenovo’s will. Do you think i am better off installing the software? Or searching around and trying to find a installable update threw Lenovo?
I’m not sure, now you mention it, whether the bug is in the 5.x series only or if older, non-self-updating flavours are vulnerable.
I’d try to contact Lenovo support to make sure. If you can manually upgrade the older computers to the latest 5.6.x version, and that’s supported, it would seem to be the best of all worlds…