Lenovo just fixed a severe vulnerability in several Lenovo laptop models allowing hackers with physical access to a computer to obtain sensitive information including login credentials. The problem lies in the Lenovo Fingerprint Manager Pro, usually installed on ThinkPad, ThinkCentre and ThinkStation models.
The Lenovo Fingerprint Manager Pro application used a weak encryption algorithm, allowing a local user with non-administrative access to read Windows login information and fingerprint data. An attacker can then use the information to log in to the affected computer. This vulnerability affects Fingerprint Manager Pro on Windows 7, Windows 8 and Windows 8.1. Windows 10 machines are unaffected, as those laptops use Windows 10’s native fingerprint support.
The advisory listed these computer models:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
The vulnerability, indexed as CVE-2017-3762, is rated as high-severity. Although the vulnerability requires physical access to a computer, affected users should update their systems as soon as possible.