Lenovo | Breaking Cybersecurity News | The Hacker News

A security flaw impacting the Lighttpd web server used in baseboard management controllers ( BMCs ) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal. While the original shortcoming was  discovered and patched  by the Lighttpd maintainers way back in August 2018 with  version 1.4.51 , the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo. Lighttpd  (pronounced "Lighty") is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources. The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space ...

Qualcomm on Tuesday  released patches  to address multiple security flaws in its chipsets, some of which could be exploited to cause information disclosure and memory corruption. The five vulnerabilities -- tracked from CVE-2022-40516 through CVE-2022-40520 -- also impact Lenovo ThinkPad X13s laptops, prompting the Chinese PC maker to issue BIOS updates to plug the security holes. The list of flaws is as follows - CVE-2022-40516, CVE-2022-40517 & CVE-2022-40520  (CVSS scores: 8.4) - Memory corruption in Core due to  stack-based buffer overflow CVE-2022-40518 & CVE-2022-40519  (CVSS scores: 6.8) - Information disclosure due to  buffer over-read  in Core Stack-based buffer overflow vulnerabilities can result in severe impacts, such as data corruption, system crashes, and arbitrary code execution. Buffer over-reads, on the other hand, can be weaponized to read out-of-bounds memory, leading to the exposure of secret data. Successful explo...

An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the  OpenSSL  cryptographic library, underscoring a supply chain risk. EFI Development Kit, aka  EDK , is an open source implementation of the Unified Extensible Firmware Interface ( UEFI ), which functions as an interface between the operating system and the firmware embedded in the device's hardware. The firmware development environment, which is in its second iteration (EDK II), comes with its own cryptographic package called  CryptoPkg  that, in turn, makes use of services from the OpenSSL project. Per firmware security company Binarly, the firmware image associated with Lenovo Thinkpad enterprise devices was found to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018. What's more, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that w...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

PC maker Lenovo has addressed yet another set of three shortcomings in the Unified Extensible Firmware Interface (UEFI) firmware affecting several Yoga, IdeaPad, and ThinkBook devices. "The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS," Slovak cybersecurity firm ESET  explained  in a series of tweets. UEFI refers to software that acts as an interface between the operating system and the firmware embedded in the device's hardware. Because UEFI is  responsible  for launching the operating system when a device is powered on, it has made the technology an attractive option for threat actors looking to  drop malware  that's difficult to detect and remove. Viewed in that light, the flaws, tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, could be abused by an adversary to turn off Secure Boot, a security mechanism that's designed to prevent malicious programs ...

Consumer electronics maker Lenovo on Tuesday  rolled out fixes  to contain three security flaws in its UEFI firmware affecting over 70 product models. "The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," Slovak cybersecurity firm ESET  said  in a series of tweets. Tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to  buffer overflow vulnerabilities  that have been described by Lenovo as leading to privilege escalation on affected systems. Martin Smolár from ESET has been credited with reporting the flaws. The bugs stem from an insufficient validation of an NVRAM variable called "DataSize" in three different drivers ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe, resulting in a buffer overflow that could be weaponized to achieve code ex...

Three high-impact Unified Extensible Firmware Interface (UEFI) security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices. Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two "affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks," ESET researcher Martin Smolár  said  in a report published today. "Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated," Smolár added. Successful exploitation of the flaws could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots. CVE-2021-3970, on the other hand, relates to a case of memory corruption in the System Management Mode ( SMM...

Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users. Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint. In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm. According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762 , that made the software accessible to all users with local non-administrative access. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials...

In past few months, Microsoft opened the source code of a lot of its projects, convincing people that the company loves Linux . But a new report shows that Microsoft is not really a big supporter of Linux. Microsoft has banned Linux on some Windows 10 powered Signature Edition PCs, which provides the cleanest Windows experience on the market. Signature Edition PCs are different from other systems because it is carefully and meticulously configured by Microsoft to run Windows 10 with no bloatware, paid promotional web shortcuts, or other pre-installed apps, for providing better performance. But besides bloatware and other pre-installed apps, Microsoft won't allow you to install Linux (or any operating system) on it. This news is not a rumor as a Reddit user BaronHK reported that he found it impossible to install Linux on the Signature Edition Lenovo Yoga 900 ISK2 UltraBook because Microsoft has locked the SSD in a proprietary RAID mode that can only be read by Window...

What do you expect a tech giant to protect your backdoor security with? Holy Cow! It's " 12345678 " as a Hard-Coded Password . Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password. The Chinese largest PC maker made a number of headlines in past for compromising its customers security. It had shipped laptops with the insecure  SuperFish adware , it was  caught using Rootkit  to secretly install unremovable software, its  website was hacked , and it was  caught pre-installing Spyware  on its laptops. Any of these incidences could have been easily prevented. Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in: Information leaks Security protoco...

Lenovo.com , the official website of world's largest PC maker has been hacked. At the time of writing, users visiting Lenovo.com website saw a teenager's slideshow and hacker also added song "Breaking Free" from High School Musical movie to the page background. It appears that Lizard Squad hacking group is responsible for the cyber attack against Lenovo and it could be in retaliation to the Superfish malware incident. It was revealed earlier this week that Lenovo had been pre-installing controversial 'Superfish' adware to its laptops which compromised the computer's encryption certificates to quietly include more ads on Google search. In the Source code of the hacked webpage, description says," The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey "  Rory Andrew Godfrey and Ryan King have been previously identified as members of Lizard Squad Hacking Group. It is not clear whether anyone of them is involve...

According to a new report, the world's biggest personal computer maker, Chinese firm Lenovo Group Limited has reportedly been banned from supplying equipment for  networks of the intelligence and defense services of Australia, the United States, Britain, Canada and New Zealand, due to hacking concerns. Sources from intelligence and defense entities in the UK and Australia have confirmed the ban introduced in the mid-2000s after intensive laboratory testing of its equipment. In 2006 it was disclosed that the US State Department had decided not to use 16,000 new Lenovo computers on classified networks because of security concerns. Serious backdoor vulnerabilities in hardware and firmware were apparently discovered during the tests which could allow attackers to remotely access devices without the knowledge of the owner. Lenovo, headquartered in Beijing, acquired IBM's personal computer business in 2005, after which IBM continued to sell server...