Lenovo fingerprint security can be bypassed by a hard-coded password

Computer security researchers have discovered a security hole in the dangerous Lenovo Fingerprint Gest Pro. According to the reports the fingerprint security authentication can be easily bypassed by malicious users by entering a hard-coded password


this is computer security


Lenovo Fingerprint Manager Pro may be bypassed due to security bug
Lenovo has released a critical security patch for their Pro Manager Manager Fingerprint because of a dangerous vulnerability that was recently discovered. According to the security reports, the program that is responsible for managing the fingerprint identification information contains a hard-coded password that can be used to replace the authentication process.

The software is compatible with all major versions of the Microsoft Windows family (Windows 7, 8 and 8.1) and allows Lenovo customers not only to configure the operating system lock, but also to store service credentials Web as well. It turns out that it can be extremely dangerous in the presence of these insects that malware operators can access using bank accounts. The fingerprint identification information was encrypted using a weak algorithm according to current security standards.

As a result vulnerability malware users with physical access to machines can enter the password and receive unlimited access to the target computers. If victim users have also configured banking services to authenticate web services by using fingerprint scanning and stored password credentials, they are accessible as well.

It is possible to compromise target computers remotely by embedding the malicious code in a virus or Trojan. Such attacks can be used against Lenovo product users. Experienced computer criminals can easily create lists of potential victims by acquiring them through business forums and user communities.

 Related story: Malware Trends 2018: How is the Landscape Threat Formatting?
More details about Lenovo's fingerprint security bug
The bug disclosure reads that the bugs impacts produced in all ranges offered by the company - ThinkPad, ThinkCentre and ThinkStaton laptops, as well as desktop models.

The bug is also tracked under CVE-2017-3762 which reads as follows:

The sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users local non-administrative access to the system in which it is installed.

The complete list includes the following products that are compatible with the Pro Fingerprint Manager and therefore vulnerable to the bug:

  1. ThinkPad L560
  2. ThinkPad P40 Yoga, P50s
  3. ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  4. ThinkPad W540, W541, W550s
  5. ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20Bs, 20BT)
  6. ThinkPad X240, X240s, X250, X260
  7. Yoga ThinkPad 14 (20FY), Yoga 460
  8. ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  9. ThinkStation E32, P300, P500, P700, P900


All users must update version 8.01.87 or later immediately to fix the problem. Microsoft Windows 10 users are not affected as the operating system can connect directly with the fingerprint reader.

No comments:

Powered by Blogger.