Lenovo's Fingerprint Manager Pro Detected with High Severity Security Flaw - Fix Available in version 8.01.87

Lenovo detected it’s Fingerprint Software to contain severe bug that left user login credentials vulnerable on the company's ThinkPad, ThinkCentre and ThinkStation devices. The company has fixed the high-severity vulnerability in a wide range of laptop models that allowed hackers with physical access to log in and then obtain users' Windows login credentials and other sensitive data.

The vulnerability resides in the Lenovo Fingerprint Manager Pro, which is typically installed on ThinkPad, ThinkCentre, and ThinkStation models. A weak encryption algorithm makes it possible for someone with local non-administrative access to read Windows logon credentials and fingerprint data. From there, the person can log into the computer or use the extracted credentials for other illegal purposes. The vulnerability affects only Fingerprint Manager Pro for Windows 7, Windows 8, or Windows 8.1. Fingerprint-enabled Laptops running Windows 10 are not impacted because they use Microsoft's native support.

Affected laptops include the following models:

1. ThinkPad L560

2. ThinkPad P40 Yoga, P50s

3. ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560

4. ThinkPad W540, W541, W550s

5. ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)

6. ThinkPad X240, X240s, X250, X260

7. ThinkPad Yoga 14 (20FY), Yoga 460

8. ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z

9. ThinkStation E32, P300, P500, P700, P900

The Fingerprint reader allows users to log in to various services using a fingerprint instead of a password. The vulnerability, which is indexed as CVE-2017-3762 surfaced almost three years after Lenovo fixed a separate vulnerability in an earlier fingerprint manager. While physical access is required to exploit the vulnerability, Windows login credentials are designed specifically to protect against scenarios where a user loses control of the hardware.

Lenovo did declare the flaw as having a high severity, but at least there's a fix out so no need to panic. The company has fixed the issue in Fingerprint Manager Pro 8.01.87, released in December 2017, although the changelog doesn’t make that clear. The only change listed for the new version is that ‘All binaries digitally signed with Softex certificate and will show sha256 as digest algorithm’. Lenovo's track record with pre-loaded software isn't stellar as the company has been hit pretty hard for having spyware-based adware pre-installed on its laptops from 2014 onwards. In March 2016, the company fixed a privilege escalation vulnerability in the same package that could have allowed attackers to execute security malware or malicious code with administrator privileges.