IoActive’s researchers have identified some new flaws in Lenovo’s system update service that can be used by hackers to create fake certificates for executable files.
IOActive detailed three separate vulnerabilities that hackers could bypass checks to ensure the integrity of apps, allowing them to run malware on an affected Lenovo machine.
“An attacker can create a fake [certificate authority] and use it to create a code-signing certificate, which can then be used to sign executables,” the advisory says. “Since the System Update failed to properly validate the certificate authority, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”
Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi, explained the implications of fake certificates, “With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected. Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private.”
Boceck also explained that Lenovo are not alone with this problem. “Lenovo is certainly not alone in their inability to properly validate digital certificates – this is just the tip of the iceberg. And as this vulnerability shows, if you can compromise certificates, other security controls break down. ”
Lenovo has issued a patch for the flaw.