Lenovo has fixed a high-severity vulnerability in a wide range of laptop models that allowed hackers with physical access to log in and then obtain users’ Windows login credentials and other sensitive data.
The vulnerability resides in the Lenovo Fingerprint Manager Pro, which is typically installed on ThinkPad, ThinkCentre, and ThinkStation models. A weak encryption algorithm makes it possible for someone with local non-administrative access to read Windows logon credentials and fingerprint data. From there, the person can log into the computer or use the extracted credentials for other purposes. The vulnerability affects only Fingerprint Manager Pro for Windows 7, Windows 8, or Windows 8.1. Fingerprint-enabled Laptops running Windows 10 aren’t affected because they use Microsoft’s native support.
“A vulnerability has been identified in Lenovo Fingerprint Manager Pro,” Lenovo officials wrote in an advisory published late last week. “Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”
The company is urging people to upgrade to version 8.01.87.
Affected laptops include:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
The Fingerprint reader allows users to log in to various services using a fingerprint instead of a password. The vulnerability, which is indexed as CVE-2017-3762 comes almost three years after Lenovo fixed a separate vulnerability in an earlier fingerprint manager. While physical access is required to exploit the vulnerability, Windows login credentials are designed specifically to safeguard against scenarios where a user loses control of their hardware.