Attackers Can Bypass Lenovo Fingerprint Manager through a Hard-coded Password

Lenovo released a security update for critical vulnerability with Lenovo Fingerprint Manager Pro that impacts dozens of ThinkPad, ThinkCentre and ThinkStation Workstations that are running Windows 7, 8 and the 8.1 operating systems.

It is a utility for user authentication based on fingerprint recognition for Windows 8.1 (32-bit, 64-bit), 8 (32-bit, 64-bit), 7 (32-bit, 64-bit) – ThinkPad, ThinkCentre, Workstations.

A critical Local Privilege Escalation vulnerability detected with Lenovo Fingerprint Manager Pro allows a local attacker to get access to the system and even to Windows login credentials and fingerprint data.

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows login credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Lenovo credited Jackson Thuraisamy from Security Compass for identifying this issue(CVE-2017-3762).

Impacted Workstations

• ThinkPad L560.
• ThinkPad P40 Yoga, P50s.
• ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560.
• ThinkPad W540, W541, W550s.
• ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT).
• ThinkPad X240, X240s, X250, X260.
• ThinkPad Yoga 14 (20FY), Yoga 460.
• ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z.
• ThinkStation E32, P300, P500, P700, P900.

Mitigations – Lenovo Fingerprint Manager Pro

Lenovo strongly recommends to Update Fingerprint Manager Pro to version 8.01.87 or later.

A couple of days Lenovo discovered a backdoor in network switches that powered by Enterprise Network Operating System firmware during the security audit by Lenovo in the Telnet and Serial Console management interfaces.