Hardware and electronics manufacturer Lenovo disclosed an insecure credential storage vulnerability in its Fingerprint Manager Pro utility software, which can be exploited for local privilege escalation on a variety of systems.
The software, which lets device owners use fingerprint recognition to log in or authenticate to configured websites, was fixed with the Jan. 11 release of version 8.01.87. But in prior versions, sensitive data, including logon credentials and fingerprint data, "is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed," Lenovo warned in a Jan. 25 security advisory.
The high-severity bug, CVE-2017-3762, was discovered by Security Compass researcher Jason Thuraisamy, and applies to the following systems running on Windows 7, 8 and 8.1:
Also on Jan. 25, Lenovo released a second security update that announced a firmware fix for CVE-2017-3768, a medium-severity vulnerability in the Integrated Management Module 2, which could allow unprivileged users to trigger a denial of service condition.