Security company IOActive has uncovered major vulnerabilities in Lenovo's System Update service.
The service, which can be accessed from Lenovo's official site, allows users to download the latest drivers and other needed software, such as security patches.
However, it also allows hackers to perform malicious attacks, such as replacing valid Lenovo programs with malware, bypassing validation checks, and running commands even at a distance.
The vulnerabilities were first discovered by the firm in February. Lenovo was given time to come up with a patch, which the PC maker issued a month ago. While a patch was made to remove the bug, Lenovo device owners are still required to download the security update in order to protect themselves.
One of the discovered vulnerabilities, which has been labeled CVE-2015-2233, is said to allow hackers to bypass signature validation checks on the machine and use malware to replace valid Lenovo programs.
"Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user," IOActive researchers Sofiane Talmat and Michael Milvich described the vulnerability.
"The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks."
The "coffee shop attack" is used to describe the type of attack that occurs when a Lenovo device owner updates the device in a coffee shop. This paves the way for an attacker to take advantage of the security hole in order to swap in their program with those owned by the Lenovo user. This security hole together with others that were discovered by IOActive are found in the Lenovo System Update version 184.108.40.206 and earlier.
"Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable," said the researchers.
Talmat, IOActive's senior security consultant, confirmed that Lenovo has already issued a patch to the security hole. However, users would need to download the latest Update software version to keep their systems secure.
"It is not enough for Lenovo just to make it available," said Talmat. "Enterprises running this brand of products need to ensure that their users have patched via any means possible."
Photo: Kārlis Dambrāns | Flickr