Lenovo Patches Arbitrary Code Execution Flaw

Lenovo warns of a high-severity bug impacting its System x line of servers, along with a medium-severity buffer-overflow vulnerability affecting its popular ThinkPad line.

Lenovo issued a pair of security advisories on Friday for its popular ThinkPad line and System x servers. One bug is tied to an authentication flaw in the Secure Boot process; and the other to a vulnerability that would allow for arbitrary code execution.

The company’s internal testing team discovered the first Secure Boot issue (CVE-2017-3775), which is rated as high-severity. Impacted are nearly a dozen enterprise-class Lenovo systems ranging from its System x, Flex System and one high-density NeXtScale nx360 M5 model server.

Secure Boot is an Intel firmware feature, which acts as a security gate or interface between an operating system and the firmware/BIOS. When enabled and fully configured, Secure Boot is designed to help a computer resist attacks and infection from malware; it detects tampering with boot loaders, key operating system files and unauthorized option ROMs by validating their digital signatures. Detections are then blocked from running before they can attack or infect the system.

On affected Lenovo server models, some BIOS/UEFI versions don’t properly authenticate signed code before booting in Secure Boot mode. As a result, an attacker with physical access to the system could boot unsigned, malicious code onto the device.

The manufacturer said that it ships the affected systems with Secure Boot disabled by default, because signed code is relatively new in the data center environment; meanwhile, standard operator configurations disable signature checking. But for those relying on Secure Boot, Lenovo has issued a series of BIOS/UEFI patches.

Buffer Overflow Bug

Meanwhile, first reported by white-hat SaifAllah benMassaoud, the buffer overflow flaw (CVE-2018-9063) exists in the MapDrv utility, which provides network share-related functions for System Update. Administrators with local access can use the MapDrv utility to connect or disconnect network shares.

It turns out that MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) can fall victim to an attacker that enters a very large user ID or password to overrun the program’s buffer. This in turn causes undefined behaviors, including the execution of arbitrary code.

It’s a medium-severity issue thanks to the fact that no additional privilege is granted to the attacker beyond the administrator rights that he or she already has to run MapDrv, and, it’s not remotely exploitable. Even so, Lenovo recommended in its advisory that users apply a patch to protect themselves.

The patch is available in version 5.07.0072 or later of the OS.

“You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting About,” the PC-maker said in its advisory.

Lenovo System Update automatically checks for a later version whenever the application is run, but users can also manually update their systems.

This is the latest vulnerability for Lenovo; in January, it issued a fix for a hardcoded password flaw impacting ThinkPad, ThinkCentre and ThinkStation laptops, and in February it reported that two critical Broadcom Wi-Fi vulnerabilities impact 25 models of ThinkPads.

Suggested articles