Lenovo users are being cautioned to apply a patch that would allow a hacker to acquire admin. privileges. The patch was released over the Thanksgiving holiday.

IOActive reported that Lenovo System Update 5.07.001 (CVE-2015-8109) contained issues that would give an attacker the ability to more easily predict usernames and passwords of the temporary administrator account.

One of the vulnerabilities is located in the tool’s help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That’s because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.

In their report, they said: “Lenovo creates a random temporary Administrator account with a username that follows the template tvsu_tmp_x xxxxXXXXX where each lowercase x is a randomly generated lower case letter and each uppercase X is a randomly generated uppercase letter. A 19-byte,random password is generated via an algorithm."

Unfortunately, the function that creates the random password uses a predictable algorithm. With that knowledge, a hacker can use the account creation timestamp to predict the username.

IOActive recommended Lenovo owners install Lenovo System Update application (version 5.06.0043 or higher) through the system update tool.

Source: SCMagazine