Vulnerability Management

Lenovo patches username/password vulnerabilities

Lenovo patched two vulnerabilities over the Thanksgiving holiday that would allow a hacker to acquire administrative privileges.

IOActive reported that Lenovo System Update 5.07.001 (CVE-2015-8109) contained issues that would give an attacker the ability to more easily predict usernames and passwords of the temporary administrator account.

“Lenovo creates a random temporary Administrator account with a username that follows the template tvsu_tmp_x xxxxXXXXX where each lowercase x is a randomly generated lower case letter and each uppercase X is a randomly generated uppercase letter. A 19-byte,random password is generated via an algorithm,” IOActive said in a report.

The function that creates the random password uses a predictable algorithm allowing an attacker with knowledge of the account creation timestamp to predict the username.

IOActive recommended Lenovo owners install Lenovo System Update application (version 5.06.0043 or higher) through the system update tool.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.