Network Security, Vulnerability Management

Lenovo addresses insecure credential storage bug in Fingerprint Manager Pro

Hardware and electronics manufacturer Lenovo disclosed an insecure credential storage vulnerability in its Fingerprint Manager Pro utility software, which can be exploited for local privilege escalation on a variety of systems.

The software, which lets device owners use fingerprint recognition to log in or authenticate to configured websites, was fixed with the Jan. 11 release of version 8.01.87. But in prior versions, sensitive data, including logon credentials and fingerprint data, "is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed," Lenovo warned in a Jan. 25 security advisory.

The high-severity bug, CVE-2017-3762, was discovered by Security Compass researcher Jason Thuraisamy, and applies to the following systems running on Windows 7, 8 and 8.1:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900

Also on Jan. 25, Lenovo released a second security update that announced a firmware fix for CVE-2017-3768, a medium-severity vulnerability in the Integrated Management Module 2, which could allow unprivileged users to trigger a denial of service condition.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.