Lenovo has patched critical flaws in its computers that allow an attacker to compromise the System Update service.
As its name implies, Lenovo’s System Update feature downloads system updates from the Internet. Security researchers at IOActive however identified multiple vulnerabilities that could enable attackers to wreak havoc. The first of the vulnerabilities, if exploited, allows a local least-privileged user to run commands as the system user.
According to IOActive, this is due to System Update using a predictable security token.
“Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk,” according to the advisory. “Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user.”
The second issue has to do with signature validation issues. If left unpatched, local and remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious ones. Specifically, Lenovo failed to validate the certificate authority (CA) chain, allowing an attacker to potentially create a fake CA and use it to create a fraudulent code-signing certificate.
“Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable,” according to the advisory. “The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks.”
Failing to validate a certificate properly gives attackers a powerful weapon to circumvent security, said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected,” he said. “Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”
The final flaw allows local unprivileged users to run commands as administrators. While the System Update checks for a signature before running executables downloaded from the Internet, it does so in a directory that is writeable by any user.
“As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable,” according to IOActive. “A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable.”
All three vulnerabilities were patched in April.