According to a security advisory published last week, the Lenovo Fingerprint Manager Pro software on many ThinkPad, ThinkCentre, and ThinStation systems contains a critical local privilege escalation vulnerability (CVE-2017-3762).
The software stores sensitive information such as user’s biometric data and Windows login credentials. But the data is encrypted with a weak algorithm and also contains a hard-coded password which can be accessed by all users. An attacker can view login credentials and fingerprint data, but it requires physical access to the system.
The vulnerability currently affects Lenovo ThinkPad systems running Windows 7, 8, 8.1 operating system. The list includes:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
Lenovo has released a patch to fix the same. The Fingerprint Manager Pro should be updated to version 8.01.87 (download here) or above.
Users running Windows 10 can rest assured as the vulnerability doesn’t pose any threats to their machines, Lenovo updated the advisory yesterday. Windows 10 users don’t need to install the fingerprint manager update either. The reason these devices aren’t affected is due to the fact that they use Windows Hello which is Microsoft’s home-baked fingerprint recognition software.