Man-in-the-Middle Vulnerability in Lenovo System Update
CVE-2015-2233

Currently unrated

Key Information:

Vendor: Lenovo
Status: System Update
Vendor: CVE Published:; 12 May 2015

Summary

Lenovo System Update before version 5.06.0034 is susceptible to a vulnerability that allows attackers to exploit improper validation of certificate authority (CA) chains during the signature validation process. This weakness opens the door for man-in-the-middle attacks, enabling unauthorized users to upload and execute arbitrary files on affected systems via crafted certificates. Proper implementation of signature verification is crucial to safeguard the integrity and authenticity of the updates processed by this software.

References

http://www.ioactive.com/pdfs/Lenovo_System_Update_Multipl...

x_refsource_MISC

http://support.lenovo.com/us/en/product_security/lsu_priv...

x_refsource_CONFIRM

http://securitytracker.com/id/1032268

vdb-entryx_refsource_SECTRACK

Timeline

Vulnerability published
May 12, 2015
Vulnerability Reserved
Mar 6, 2015