Lenovo’s Fingerprint Scanner Has a Hardcoded Password – Install Fix ASAP
Lenovo Fingerprint Scanner can be bypassed using a hardcoded password, the company has warned. An attacker with local, non-admin access can potentially use a Local Privilege Escalation vulnerability (tracked as CVE-2017-3762) to bypass fingerprint authentication and get access to sensitive data, including Windows login information.
In a security advisory, the company said that it is delivering updates for the fingerprint scanner app that is shipped with ThinkPad, ThinkCentre, and ThinkStation series. "A vulnerability has been identified in Lenovo Fingerprint Manager Pro," Lenovo said, adding that sensitive data is accessible to all users with local access.
"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in."
Lenovo fixes hardcoded password flaw - impacted ThinkPad and other systems
Rated high severity, Lenovo said that users need to install version 8.01.87 to fix these critical security issues. Everyone who is running Lenovo Fingerprint Manager Pro for Windows 7, 8, and 8.1 is affected. As for the machines, following Lenovo systems are at risk:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
The company has credited Jackson Thuraisamy, a senior security consultant with Security Compass, for finding and disclosing this high severity security flaw affecting fingerprint scanner. Users can download and update their Fingerprint Manager Pro to version 8.01.87 or later from here. More details about this security vulnerability are available over here at Lenovo.