Computer maker Lenovo has updated Fingerprint Manager Pro for Windows 7, 8, and 8.1 to address several insecure credential storage issues in the software, including the presence of a hardcoded password.
Rated High severity and tracked as CVE-2017-3762, the vulnerability was discovered by Jackson Thuraisamy from Security Compass. An attacker attempting to exploit the issue could escalate their privileges on the local system.
The flaw only impacts Lenovo Fingerprint Manager Pro, a utility for Windows 7, 8, and 8.1 that has been designed to help users log into their PCs or authenticate to configured websites by means of fingerprint recognition.
The bug resides in the use of a weak algorithm when encrypting sensitive data stored by Fingerprint Manager Pro, such as users’ Windows logon credentials and fingerprint data, the company said in an advisory.
What’s more, the application was found to contain a hardcoded password and to be accessible to all users with local non-administrative access to the computer it is installed on.
According to Lenovo, the application may be installed on a large number of device models, including ThinkPad L560, P40 Yoga, P50s, T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560, W540, W541, W550s, X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT), X240, X240s, X250, X260, Yoga 14 (20FY), and Yoga 460; ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, and M93z; and ThinkStation E32, P300, P500, P700, P900.
The vulnerability has been addressed in Lenovo Fingerprint Manager Pro version 8.01.87. Owners of the aforementioned models should update to the new software release.