reader comments 53
Lenovo has mounted a high-severity vulnerability in a big range of computing device models that allowed hackers with actual entry to log in after which reap clients’ windows login credentials and other delicate statistics.
The vulnerability resides in the Lenovo Fingerprint supervisor pro, which is typically installed on ThinkPad, ThinkCentre, and ThinkStation fashions. A vulnerable encryption algorithm permits someone with native non-administrative access to study home windows logon credentials and fingerprint information. From there, the grownup can log into the laptop or use the extracted credentials for other purposes. The vulnerability impacts handiest Fingerprint supervisor professional for home windows 7, home windows 8, or windows eight.1. Fingerprint-enabled Laptops working home windows 10 are not affected as a result of they use Microsoft’s native help.
“A vulnerability has been recognized in Lenovo Fingerprint supervisor pro,” Lenovo officers wrote in an advisory posted late closing week. “delicate information kept with the aid of Lenovo Fingerprint manager pro, including users’ home windows logon credentials and fingerprint data, is encrypted the usage of a weak algorithm, carries a hard-coded password, and is attainable to all users with native non-administrative access to the device it is put in in.”
The company is urging people to upgrade to version eight.01.87.
Affected laptops consist of:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (class 20A7, 20A8), X1 Carbon (type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
The Fingerprint reader permits clients to log in to a lot of functions using a fingerprint as a substitute of a password. The vulnerability, which is indexed as CVE-2017-3762 comes well-nigh three years after Lenovo mounted a separate vulnerability in an previous fingerprint manager. while actual access is required to make the most the vulnerability, home windows login credentials are designed especially to shield against situations the place a person loses control of their hardware.