Lenovo Warns ThinkPads Vulnerable to Wi-Fi Flaws

Lenovo has warned customers that 24 models of its ThinkPad laptops, which are popular with business users, are affected by two critical vulnerabilities in Broadcom wireless controllers.

The flaws, tracked as CVE-2017-11120 and CVE-2017-11121, were discovered last year by researchers from Google’s Project Zero and were patched in both Android and iOS devices in September. The vulnerabilities can be exploited remotely by unauthenticated users to achieve remote code execution on devices.

It turns out that the same flaws exist in the Broadcom BCM4356 Wireless LAN driver shipped with two dozen Lenovo ThinkPad models. The company released a patched driver version (1.558.53.1) for most affected laptops in November and December, but only notified customers about the existence of the flaws Feb. 8 in a security advisory.

There are two affected models of ThinkPad L460 (20FU and 20FV) for which an update is not yet available and other some other models are flagged with “no supplier support,” which might indicate they will never receive a patch. Most affected laptops received Windows 10 driver updates, but some also require patched versions for Windows 8.1 and Windows 7 that are not yet available.

The affected products are ThinkPad 10, ThinkPad L460, ThinkPad L560, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260, ThinkPad Yoga 260 and ThinkPad S1 2nd Gen.

On Feb. 8, Lenovo also offered guidance for a weak password issue in Intel vPro Active Management Technology (AMT) that affects ThinkPad systems and a privilege escalation vulnerability in Intel graphics drivers that existing in many Lenovo laptops, desktops, all-in-one systems, workstations and servers.

VMware Starts Releasing Meltdown and Spectre Fixes for Virtual Appliances

VMware has released updates and workarounds this week for several of its virtual appliances impacted by the serious Meltdown and Spectre CPU vulnerabilities announced last month.

According to an advisory published Feb. 8, the affected appliances are: vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA).

Fixes are available only for vSphere Integrated Containers, the company advising customers to update to version 1.3.1. For the rest of the affected virtual appliances, VMware has provided workarounds in individual support articles.

The company previously released updates for its ESXi hypervisor to include the CPU microcode patches released by Intel in January. However, after Intel confirmed that those fixes caused unexpected reboot issues, VMware decided to withdraw the ESXi updates from its website.

WordPress Releases Update to Fix Broken Automatic Updates

One day after releasing a WordPress update this week, developers of the popular content management system had to release another one to fix a bug that broke the automatic update functionality. As a result, users now have to manually install the latest update to receive future updates.

“Unfortunately yesterdays (sic) 4.9.3 release contained a severe bug which was only discovered after release,” WordPress developer Dion Hulse said in a blog post. “The bug will cause WordPress to encounter an error when it attempts to update itself to WordPress 4.9.4, and will require an update to be performed through the WordPress dashboard or hosts update tools.”

Featured eBook
Mastering Hybrid Cloud Security

Mastering Hybrid Cloud Security

Enterprises have embraced hybrid cloud — here’s what you need to know when it comes to security You’d think by now all the cloud-computing buzzwords would’ve rained down. But hybrid cloud computing still has a fuzzy nature about it. For whatever reasons enterprises embrace cloud, hybrid cloud use is near ubiquitous. According to a 2017 ... Read More
CA Veracode

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 199 posts and counting.See all posts by lucian-constantin