Thursday, March 28, 2024

Attackers Can Bypass Lenovo Fingerprint Manager through a Hard-coded Password

Lenovo released a security update for critical vulnerability with Lenovo Fingerprint Manager Pro that impacts dozens of ThinkPad, ThinkCentre and ThinkStation Workstations that are running Windows 7, 8 and the 8.1 operating systems.

It is a utility for user authentication based on fingerprint recognition for Windows 8.1 (32-bit, 64-bit), 8 (32-bit, 64-bit), 7 (32-bit, 64-bit) – ThinkPad, ThinkCentre, Workstations.

A critical Local Privilege Escalation vulnerability detected with Lenovo Fingerprint Manager Pro allows a local attacker to get access to the system and even to Windows login credentials and fingerprint data.

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows login credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Lenovo credited Jackson Thuraisamy from Security Compass for identifying this issue(CVE-2017-3762).

Impacted Workstations

  • ThinkPad L560.
  • ThinkPad P40 Yoga, P50s.
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560.
  • ThinkPad W540, W541, W550s.
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT).
  • ThinkPad X240, X240s, X250, X260.
  • ThinkPad Yoga 14 (20FY), Yoga 460.
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z.
  • ThinkStation E32, P300, P500, P700, P900.

Mitigations – Lenovo Fingerprint Manager Pro

Lenovo strongly recommends to Update Fingerprint Manager Pro to version 8.01.87 or later.

A couple of days Lenovo discovered a backdoor in network switches that powered by Enterprise Network Operating System firmware during the security audit by Lenovo in the Telnet and Serial Console management interfaces.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles