Lenovo Fingerprint Manager Pro

Lenovo has issued security updates for a fingerprint scanner app it shipped with ThinkPad, ThinkCentre, and ThinkStation machines.

Fingerprint Manager Pro is an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products.

"A vulnerability has been identified in Lenovo Fingerprint Manager Pro," said Lenovo in a security advisory published last week.

"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said.

What this means is that an attacker could take advantage of the hardcoded password to bypass fingerprint authentication, and even decrypt existing Windows logon credentials and fingerprint data.

Update made available last week

Lenovo Fingerprint Manager Pro for Windows 7, 8, and 8.1 versions are affected. Lenovo has published version 8.01.87 that fixes the said problem.

The company advises users with the following Lenovo machines download and install version 8.01.87 (or later) of the Fingerprint Manager Pro app.

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900

Jackson Thuraisamy of Security Compass was the researcher who discovered and reported the vulnerability (CVE-2017-3762) to Lenovo.

Related Articles:

Cisco Removes Backdoor Account, Fourth in the Last Four Months

Cisco Removes Undocumented Root Password From Bandwidth Monitoring Software

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine

You Can Bypass Authentication on HPE iLO4 Servers With 29 "A" Characters

Thermanator Attack Steals Passwords by Reading Thermal Residue on Keyboards