Some critical security vulnerabilities existed in the “my Lenovo” digital assets. Exploiting these vulnerabilities could even allow an adversary to execute commands on the target systems. Lenovo has addressed the issues after researchers notified them of the bugs.
Critical My Lenovo Vulnerabilities
An Italian security firm Swascan’s Cyber Security Research Team, has recently shared details of some critical vulnerabilities affecting “My Lenovo” assets. The researchers found the bugs via their Domain Threat Intelligence (DTI) tool that works on the information available on the dark web.
As elaborated in their advisory exclusively shared with Latest Hacking News, the researchers found three critical vulnerabilities on two selected IPs.
Investigating the matter made them identify the bugs as LDAP anonymous bind allowed, LDAP password disclosure, and remote command execution.
While the advisory doesn’t precisely explain the technical issues. Yet, it does elaborate on the nature of bugs that fall in these three categories.
- Insufficiently Protected Credentials: insecure storage of credentials allowing an adversary to access user accounts.
- OS Command Injection: an adversary could execute dangerous commands at the level of the operating system on the target device.
- Improper Authentication: insufficient user validation by software allowing an adversary to gain unwarranted access to sensitive data.
Bugs Fixed
Upon finding the bugs, team Swascan responsibly disclosed the report to Lenovo. Their report included the details of the flaws and the PoC and vulnerable addresses and credentials. As stated in the advisory,
Swascan recommended to Lenovo the upgrade of the exposed services, checking the configuration and/or close related ports if not needed in order to mitigate the risk.
Consequently, the vendors, together with the researchers, worked out to develop patches for the flaws. Highlighting the vigilant response from Lenovo, the cybersecurity firm appreciated the fixes.
The Lenovo PSIRT quickly followed through on the suggestions and the information provided by Swascan, showing once again the importance and the value of collaborations between Cyber Security companies and IT/Service providers.
Let us know your thoughts in the comments.