Lenovo has bound a high-severity disadvantage in a far-reaching operation of laptop models that allowed hackers with earthy entrance to record in and then obtain users’ Windows login certification and other supportive data.
The disadvantage resides in the Lenovo Fingerprint Manager Pro, which is typically commissioned on ThinkPad, ThinkCentre, and ThinkStation models. A diseased encryption algorithm creates it probable for someone with internal non-administrative entrance to review Windows logon certification and fingerprint data. From there, the person can record into the mechanism or use the extracted certification for other purposes. The disadvantage affects only Fingerprint Manager Pro for Windows 7, Windows 8, or Windows 8.1. Fingerprint-enabled Laptops using Windows 10 aren’t influenced since they use Microsoft’s internal support.
“A disadvantage has been identified in Lenovo Fingerprint Manager Pro,” Lenovo officials wrote in an advisory published late last week. “Sensitive information stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon certification and fingerprint data, is encrypted using a diseased algorithm, contains a hard-coded password, and is permitted to all users with internal non-administrative entrance to the complement it is commissioned in.”
The company is propelling people to upgrade to chronicle 8.01.87.
Affected laptops include:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
The Fingerprint reader allows users to record in to several services using a fingerprint instead of a password. The vulnerability, which is indexed as CVE-2017-3762 comes almost 3 years after Lenovo bound a apart disadvantage in an progressing fingerprint manager. While earthy entrance is compulsory to feat the vulnerability, Windows login certification are designed privately to guarantee against scenarios where a user loses control of their hardware.