ID

VAR-200807-0235

CVE

CVE-2008-3249

TITLE

Lenovo System Update Vulnerability to install arbitrary packages on the client

DESCRIPTION

The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM. Lenovo System Update is prone to a security-bypass vulnerability because the application fails to properly check SSL certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers, which can lead to the installation of arbitrary software on an affected computer. This may result in a complete compromise of the computer. This issue affects Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3); other versions may also be vulnerable. Lenovo System Update is a set of system automatic update tools from Lenovo in China, which includes device driver updates, Windows system patch updates, etc. Lenovo's System Update service allows downloading and installing arbitrary update executables from fake servers. After the SSL negotiation is successful, the client will continue to download the XML file, which contains the path name, size and related SHA-1 hash to the EXE file. If the software version displayed in the XML file is higher than the version of the installed software, the EXE file will be downloaded, the SHA-1 hash will be calculated and compared with the hash defined in the XML file, and if it matches, it will be administrator Permission to execute executable programs. To exploit this vulnerability, the attacker must create a self-signed SSL certificate that contains the X.509 header values ​​(issuer, common name, organization, etc.) of the public SSL certificate used by the SystemUpdate server (download.boulder.ibm.com) , the attacker would also modify the XML configuration file of the targeted software package so that the version number, file size, and SHA-1 hash match the malicious EXE file. When SystemUpdate tries to connect to the server, the attacker can accept the connection through techniques such as DNS spoofing and ARP redirection. Wireless networks are especially at risk because impersonation of access points can simplify attacks. Once SystemUpdate connects to TCP port 443, the fake server negotiates an SSL session with an attacker-created SSL certificate, then sends malicious XML and EXE files when SystemUpdate requests the targeted software package. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Learn more: http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: ThinkVantage System Update Missing SSL Certificate Chain Verification SECUNIA ADVISORY ID: SA30379 VERIFY ADVISORY: http://secunia.com/advisories/30379/ CRITICAL: Less critical IMPACT: Spoofing WHERE: >From remote SOFTWARE: ThinkVantage System Update 3.x http://secunia.com/product/15450/ DESCRIPTION: Derek Callaway has reported a security issue in ThinkVantage System Update, which can be exploited by malicious people to conduct spoofing attacks. Successful exploitation allows e.g. downloading and executing malicious programs, but requires that the application connects to a malicious update server providing a specially crafted X.509 certificate (e.g. via DNS poisoning). Other versions may also be affected. http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-66956 PROVIDED AND/OR DISCOVERED BY: Derek Callaway, Security Objectives ORIGINAL ADVISORY: SECOBJADV-2008-01: http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

trust management

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Derek Callaway

SOURCES

LAST UPDATE DATE

2025-04-10T23:03:24.183000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE