SlideShare a Scribd company logo

Lenovo Accused Of ‘Massive Security Risk’ By Researchers

Waqas Amir
Waqas Amir

Lenovo has been accused of running a "massive security risk" after researchers found flaws in its software, according to Hackread.com: https://goo.gl/tTvX1k

Technology
1 of 6
Download to read offline
©2015 IOActive, Inc. All Rights Reserved [1] IOActive Security Advisory Title Lenovo’s System Update Uses a Predictable Security Token Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2219 Advisory Date April 14, 2014 Affected Product Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local least-privileged users to run commands as the SYSTEM user. Background The Lenovo System Update allows least privileged users to perform system updates. To do this, the System Update includes the System Update service (SUService.exe). This service runs privileged as the SYSTEM user and communicates with the System Update which is running as the unprivileged user. The service creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Technical Details Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user. Fixes Lenovo has released an updated version, which replaces the token authentication method, and is available through the System Update.
©2015 IOActive, Inc. All Rights Reserved [2] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notified vendor  April 3, 2015: Vendor released patch  April 14, 2015: IOActive & Vendor advisory published
©2015 IOActive, Inc. All Rights Reserved [3] IOActive Security Advisory Title Lenovo’s System Update Signature Validation Errors Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2233 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks. Background The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. Technical Details When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user. Fixes Lenovo has released an updated version, which validates the CA chain, and is available through the System Update.
©2015 IOActive, Inc. All Rights Reserved [4] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notifies vendor  April 3, 2015: Vendor releases patch  April 14, 2015: IOActive & Vendor publish advisory
©2015 IOActive, Inc. All Rights Reserved [5] IOActive Security Advisory Title Lenovo’s System Update Race Condition Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2234 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local unprivileged users to run commands as an administrative user. Background The System Update downloads executables from the Internet runs them. The System Update does check for a signature before running them, but does so in a directory writable by any user. Technical Details As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable. A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified. An attacker can use this to gain elevated permissions. Fixes Lenovo has released an updated version, which changes how downloaded files are stored. It is available through the System Update. Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015 : IOActive notifies vendor
©2015 IOActive, Inc. All Rights Reserved [6]  April 3, 2015 : Vendor releases patch  April 14, 2015 : IOActive & Vendor publish advisory

Recommended

Government resources
Government resourcesGovernment resources
Government resourcesWaqas Amir
 
Pakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillancePakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillanceWaqas Amir
 
Unpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US NavyUnpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US NavyWaqas Amir
 
Police can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules CourtPolice can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules CourtWaqas Amir
 
Boeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: ReportBoeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: ReportWaqas Amir
 
Big brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-webBig brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-webWaqas Amir
 
Reserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgeryReserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgeryWaqas Amir
 
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Waqas Amir
 

Recommended

Government resources
Government resourcesGovernment resources
Government resourcesWaqas Amir
 
Pakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillancePakistan’s ISI Plans for surveillance
Pakistan’s ISI Plans for surveillanceWaqas Amir
 
Unpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US NavyUnpatched Security Flaws Openly Solicited by US Navy
Unpatched Security Flaws Openly Solicited by US NavyWaqas Amir
 
Police can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules CourtPolice can Grab cell phone records without Warrant, Rules Court
Police can Grab cell phone records without Warrant, Rules CourtWaqas Amir
 
Boeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: ReportBoeing 787s can lose control while flying due to Software bug: Report
Boeing 787s can lose control while flying due to Software bug: ReportWaqas Amir
 
Big brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-webBig brother-exposed-r2 k-handbook-on-surveillance-web
Big brother-exposed-r2 k-handbook-on-surveillance-webWaqas Amir
 
Reserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgeryReserchers show how medical robots can be hacked during surgery
Reserchers show how medical robots can be hacked during surgeryWaqas Amir
 
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Waqas Amir
 
Woman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWoman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWaqas Amir
 
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyUs in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyWaqas Amir
 
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportChild Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportWaqas Amir
 
Sherman testimony
Sherman testimonySherman testimony
Sherman testimonyWaqas Amir
 
Android App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsAndroid App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsWaqas Amir
 
Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Waqas Amir
 
Adiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyAdiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyWaqas Amir
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesWaqas Amir
 
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtStingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtWaqas Amir
 
FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.Waqas Amir
 
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...Waqas Amir
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideWaqas Amir
 
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.Waqas Amir
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksWaqas Amir
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksWaqas Amir
 
Court ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookCourt ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookWaqas Amir
 
hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.Waqas Amir
 
Fbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedFbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedWaqas Amir
 
Monsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedMonsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedWaqas Amir
 
Nsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedNsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedWaqas Amir
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 

More Related Content

More from Waqas Amir

Woman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWoman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWaqas Amir
 
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyUs in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyWaqas Amir
 
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportChild Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportWaqas Amir
 
Sherman testimony
Sherman testimonySherman testimony
Sherman testimonyWaqas Amir
 
Android App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsAndroid App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsWaqas Amir
 
Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Waqas Amir
 
Adiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyAdiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyWaqas Amir
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesWaqas Amir
 
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtStingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtWaqas Amir
 
FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.Waqas Amir
 
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...Waqas Amir
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideWaqas Amir
 
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.Waqas Amir
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksWaqas Amir
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksWaqas Amir
 
Court ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookCourt ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookWaqas Amir
 
hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.Waqas Amir
 
Fbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedFbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedWaqas Amir
 
Monsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedMonsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedWaqas Amir
 
Nsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedNsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedWaqas Amir
 

More from Waqas Amir (20)

Woman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hackWoman suing google for losing “thousands” due to google play store hack
Woman suing google for losing “thousands” due to google play store hack
 
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agencyUs in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
Us in-flight-wi-fi-internet-could-be-hacked-warns-federal-watchdog-agency
 
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: ReportChild Abuse Images Traded by Paedophiles for Bitcoin: Report
Child Abuse Images Traded by Paedophiles for Bitcoin: Report
 
Sherman testimony
Sherman testimonySherman testimony
Sherman testimony
 
Android App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion CampaignsAndroid App Used by Hackers in Sex Extortion Campaigns
Android App Used by Hackers in Sex Extortion Campaigns
 
Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2Facebook's revised policies_and_terms_v1.2
Facebook's revised policies_and_terms_v1.2
 
Adiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technologyAdiós gps darpa working on alternative position tracking technology
Adiós gps darpa working on alternative position tracking technology
 
Study reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutesStudy reveals we are being tracked by our smartphones --- every 3 minutes
Study reveals we are being tracked by our smartphones --- every 3 minutes
 
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY CourtStingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
Stingray Mobile Phone Surveillance Details to be unveiled.. Orders NY Court
 
FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.FBI Admits Using Stingray Devices to Disrupt Phone Service.
FBI Admits Using Stingray Devices to Disrupt Phone Service.
 
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
DARPA Wants to Monitor The Arctic, offers $4 Million For An Unmanned Surveill...
 
Nsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwideNsa hiding undetectable spyware in hard drives worldwide
Nsa hiding undetectable spyware in hard drives worldwide
 
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
BlackBerry, Boeing to Develop Self-Destruct Mission Impossible Style Phone.
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
 
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaksCitizenfour producers-face-legal-challenges-over-edward-snowden-leaks
Citizenfour producers-face-legal-challenges-over-edward-snowden-leaks
 
Court ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebookCourt ruling : Parents may be responsible for what their kinds post on facebook
Court ruling : Parents may be responsible for what their kinds post on facebook
 
hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.hackread.com reports on The Intercept ban.
hackread.com reports on The Intercept ban.
 
Fbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealedFbi’s internal guide list to internet slangs revealed
Fbi’s internal guide list to internet slangs revealed
 
Monsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affectedMonsanto hacked, 1300 individuals affected
Monsanto hacked, 1300 individuals affected
 
Nsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebuttedNsa's talking points for friends and family - rebutted
Nsa's talking points for friends and family - rebutted
 

Recently uploaded

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 

Recently uploaded (20)

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 

Lenovo Accused Of ‘Massive Security Risk’ By Researchers

  • 1. ©2015 IOActive, Inc. All Rights Reserved [1] IOActive Security Advisory Title Lenovo’s System Update Uses a Predictable Security Token Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2219 Advisory Date April 14, 2014 Affected Product Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local least-privileged users to run commands as the SYSTEM user. Background The Lenovo System Update allows least privileged users to perform system updates. To do this, the System Update includes the System Update service (SUService.exe). This service runs privileged as the SYSTEM user and communicates with the System Update which is running as the unprivileged user. The service creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Technical Details Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user. Fixes Lenovo has released an updated version, which replaces the token authentication method, and is available through the System Update.
  • 2. ©2015 IOActive, Inc. All Rights Reserved [2] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notified vendor  April 3, 2015: Vendor released patch  April 14, 2015: IOActive & Vendor advisory published
  • 3. ©2015 IOActive, Inc. All Rights Reserved [3] IOActive Security Advisory Title Lenovo’s System Update Signature Validation Errors Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2233 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks. Background The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. Technical Details When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain. As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user. Fixes Lenovo has released an updated version, which validates the CA chain, and is available through the System Update.
  • 4. ©2015 IOActive, Inc. All Rights Reserved [4] Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015: IOActive notifies vendor  April 3, 2015: Vendor releases patch  April 14, 2015: IOActive & Vendor publish advisory
  • 5. ©2015 IOActive, Inc. All Rights Reserved [5] IOActive Security Advisory Title Lenovo’s System Update Race Condition Severity High Discovered by Michael Milvich michael.milvich@ioactive.com Sofiane Talmat sofiane.talmat@ioactive.com CVE CVE-2015-2234 Advisory Date April 14, 2015 Affected Products Lenovo System Update (5.6.0.27 and earlier versions) Impact This vulnerability allows local unprivileged users to run commands as an administrative user. Background The System Update downloads executables from the Internet runs them. The System Update does check for a signature before running them, but does so in a directory writable by any user. Technical Details As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable. A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified. An attacker can use this to gain elevated permissions. Fixes Lenovo has released an updated version, which changes how downloaded files are stored. It is available through the System Update. Timeline  February 2015: IOActive discovers vulnerability  February 19, 2015 : IOActive notifies vendor
  • 6. ©2015 IOActive, Inc. All Rights Reserved [6]  April 3, 2015 : Vendor releases patch  April 14, 2015 : IOActive & Vendor publish advisory