Lenovo, the world’s No. 1 PC manufacturer, is wearing another technical black eye this week after the disclosure of a serious security risk in its system update program that was discovered by an outside research firm. Lenovo conceded that there were “multiple vulnerabilities” found but also insists that they have been solved.

“As a result, an attacker who is unprivileged can perform the same operations as the System Update,” the firm warned. The severity of the security problem is “high.”

It’s the second time in recent months that Lenovo has taken a blow to its reputation. Lenovo was roundly criticized for the installation of Superfish adware on machines that created a security risk. The company, which operates its executive headquarters in Morrisville, said it was unaware of the risk, offered tools to fix it, and promised cleaner machines moving forward. That disclosure also led to a hack of Lenovo’s corporate website, something the company has yet to discuss in any detail.

Lenovo also recently had to recall battery packs and power cords.

Now comes the system update report just days after the company celebrated the 10th anniversary of the deal through which it acquired IBM’s PC business, setting the stage for its march to the No. 1 PC seller rank.

After giving Lenovo 30 days to respond to the risk warning it sent to the company, IOActive published a “Security Advisory” which the media discovered this week. The report has ignited headlines around the world, and one security expert in the U.K. told the BBC that Lenovo is “building a ‘lamentable record for security.'”

WTW reached out to Lenovo for comment. It’s response was to point WTW to a website that two weeks ago posted an update on the problem as well as a guide to users on how to fix it.

Lenovo labeled the risk as “medium.”

Malware through updates possible

Here’s how Lenovo describes the problem:

“Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility.”

In other words, someone could hack Lenovo systems.

Tech Target Network defines a “race condition” this way: “[A] race condition may occur if commands to read and write a large amount of data are received at almost the same instant, and the machine attempts to overwrite some or all of the old data while that old data is still being read. The result may be one or more of the following: a computer crash, an ‘illegal operation,’ notification and shutdown of the program, errors reading the old data or errors writing the new data. A race condition can also occur if instructions are processed in the incorrect order.”

And the risk was broad. Products affected as cited by Lenovo include:

  • All ThinkPad
  • All ThinkCentre
  • All ThinkStation
  • Lenovo V/B/K/E Series

Lenovo publicly thanked the IOActive researchers who discovered the problem in February and said it “worked directly” with them to correct the problem.

(See: http://news.lenovo.com/article_display.cfm?article_id=1973)

“Multiple vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities,” Lenovo acknowledged.

“Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility.”

The technical details

In explaining the vulnerability, IAO noted (emphasis added):

“The Lenovo System Update allows least privileged users to perform system updates. To do this, the System Update includes the System Update service (SUService.exe). This service runs privileged as the SYSTEM user and communicates with the System Update which is running as the unprivileged user. The service creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it.

“Technical Details Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user.”

Read more at: http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf)