Swascan Offensive Security Team has identified at least 3 Critical vulnerabilities in “My Lenovo” digital assets passively identified by using the Domain Threat Intelligence (DTI) tool.
DTI – Domain Threat Intelligence – is service from Swascan’s Cyber Security Testing Cloud Suite. The service does not perform any security tests on the target
and only operates on information available on the web or dark web (Osint and Closint).
In line with the industry standard procedure of Responsible Vulnerability Disclosure the findings were reported immediately to Lenovo that proceeded to remediate and close all possible vulnerabilities.
Technical Details
As explained, during some passive security checks (using Swascan’s own DTI) on some well-known internet domains, Swascan Offensive Security Team detected some important vulnerabilities on two selected IP’s.
Strongly based on pure intelligence Data, the Domain Threat Intelligence provides useful information and indicators to implement better cyber defence strategies and improve the resilience of your company perimeter.
The Threat Intelligence gathering activity is carried out through a process of research, individuation and selection of all the publicly available information relating to the domain, subdomain and compromised email of the interested party. All this information is gathered through a completely passive analysis.
In this case, Swascan through the DTI was able to detect three main vulnerabilities:
- LDAP Anonymous Bind Allowed
- LDAP Password Disclosure
- Remote Command Execution (Potential)
As soon as those anomalies were detected Swascan proceeded to inform the Lenovo PSIRT through the industry standard Responsible vulnerability disclosure process.
Included were all the proof as concepts of possible exploits, a list of vulnerable addresses and credentials and all the recommended remediation activities.
In particular the three detected vulnerabilities were of the following categories:
• CWE-522: Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
• CWE-78: OS Command Injection: This could allow attackers to execute unexpected, dangerous commands directly on the operating system.
This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have.
The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.
From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed.
In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application’s owner.
• CWE-287: Improper Authentication: This happens when an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Swascan recommended to Lenovo the upgrade of the exposed services, checking the configuration and/or close related ports if not needed in order to mitigate the risk.
On their part, the Lenovo PSIRT quickly followed through on the suggestions and the information provided by Swascan, showing once again the importance and the value of collaborations between Cyber Security companies and IT/Service providers.