Lenovo Fingerprint Reader Software Failed to Properly Secure Credentials

Lenovo is advising users of ThinkPad, ThinkCentre and ThinkStation business computers to install a new version of its fingerprint management software to fix a security issue that could expose credentials and authentication data.

“Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” Lenovo said in an advisory.

The company has fixed the issue in Fingerprint Manager Pro 8.01.87, released in December, although the changelog doesn’t make that clear. The only change listed for the new version is: “All binaries digitally signed with Softex certificate and will show sha256 as digest algorithm.”

Lenovo Fingerprint Manager Pro is a utility for systems running Windows 7, 8 or 8.1 that allows users to authenticate on their PCs and on various websites using the fingerprint reader of their Lenovo computers. Windows 10 provides its own component for managing fingerprint readers, so users shouldn’t have Lenovo’s software installed on such systems.

This is not the first time when a security vulnerability has been found in Lenovo’s fingerprint software. In March 2016, the company fixed a privilege escalation vulnerability in the same package that could have allowed attackers to execute malicious code with administrator privileges.

Microsoft Releases Out-of-Band Update to Disable Spectre Mitigation

Microsoft has released an unscheduled update for Windows systems to disable the mitigation released earlier this month for one of the two Spectre attack variants affecting CPUs. The decision comes after Intel confirmed that its CPU microcode patch for Spectre variant 2 can cause system reboots and other unpredictable behavior.

“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft said in a support document. “While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.’ In our testing this update has been found to prevent the behavior described.”

Spectre variant 2, also known as branch target injection, requires a microcode patch that adds a new mechanism to the CPU’s instructions as well as an OS-level patch that uses that allows Windows to use the new mechanism. What Microsoft does with this update is to disable the OS-level mitigation, which should prevent reboots even if the faulty microcode has been applied through the BIOS.

Intel confirmed the problems introduced by its microcode update for Broadwell and Haswell CPUs last week and said that an improved fix that was shared with computer manufacturers for testing. OEMs, including HP, Dell and Lenovo, withdrew their previously released BIOS/UEFI updates that included the buggy microcode and are expected to release new versions with the improved fix once testing is complete.

Instead of deploying the KB4078130 update, system administrators can disable the Windows mitigation for Spectre variant 2 by changing special registry keys described in previous Microsoft support documents. This can be automated in enterprise environments to disable the patch on a large number of computers.

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers,” Microsoft said. “We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”

Microsoft has previously halted the distribution of Spectre variant 2 patches on systems with AMD CPUs because they were also causing instability. The company later resumed the updates after the cause was identified and resolved.

Sponsored Content
Upcoming Webinar
RSA 2018- What’s Hot in the Cyber Security Space

RSA 2018- What’s Hot in the Cyber Security Space

Love it or hate, the annual RSA Conference (RSAC) in San Francisco is the largest cyber security conference in world. It is where the world comes to talk and learn security. Inevitably every year at RSAC there are some technologies that become the industry buzzwords and hot buttons. These generally ... Read More
April 2, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 116 posts and counting.See all posts by lucian-constantin

One thought on “Lenovo Fingerprint Reader Software Failed to Properly Secure Credentials

Comments are closed.