Swascan finds vulnerabilities, collaborates with Lenovo to fix

The Cyber Security Team of the Italian company Swascan has discovered 9 vulnerabilities related to the servers/application of Lenovo’s infrastructure.

Lenovo Group Limited, is the well-known multinational that produces and sells personal computers, tablets, smartphones, workstations, servers, electronic storage devices, IT management software and smart televisions.

Swascan is the Italian Cyber Security company founded by Raoul Chiesa and Pierguido Iezzi. Swascan is the first CyberSecurity Testing platform that allows to identify, analyze and solve the vulnerabilities of websites and information infrastructure.

Just a few weeks ago, thanks to its Research Team Swascan had already been able to unravel the vulnerabilities of Adobe and Microsoft. This time the Italian company’s Cyber Team has identified some vulnerabilities related to Lenovo’s server infrastructure.

In detail, the 9 vulnerabilities identified were classified by risk levels as follows:

–        High 2;

–        Medium 7;

These vulnerabilities, if exploited, could have impacted the integrity, availability and confidentiality of the systems.

For this very reason, Swascan immediately contacted the Lenovo Security Department, whose professional response was among the best we’ve encountered, leading to a fruitful collaboration and resolution of the identified vulnerabilities.

Lenovo’s vulnerabilities

The identified and resolved vulnerabilities were:

CWE – 476:  The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

CWE – 119: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data. As a result, an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.

CWE-416: The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

  • Error conditions and other exceptional circumstances.
  • Confusion over which part of the program is responsible for freeing the memory.

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

CWE – 78: This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.

CWE-20: The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.

CWE-287: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Swascan and Lenovo

In line with the spirit and objectives of Swascan, this press release is not intended to discuss or dissect the identified vulnerabilities. The purpose of this article, however, is to shift the focus on the importance of real collaboration between vendors and CyberSecurity companies.

Lenovo’s attention to our discoveries together with the email exchanges, the evaluations, the remediation activities, and the resolution times were among the most serious, professional, and transparent that we have witnessed in our careers: congratulations to the security experts, reverse engineers, and programmers who work at Lenovo. This reflects perfectly the need for collaboration between Cyber Security companies (Swascan) and software vendors (Lenovo’s team).

CERTs and PSIRTs play a key role in the security ecosystem in the digital world we live in. Our hope is to find more and more prepared teams, just like Lenovo’s PSIRT, which has shown exemplary behaviour as well as high consideration and care for its customers.

Pierguido Iezzi, CyberSecurity Director

Raoul “Nobody” Chiesa Swascan co-founder, InfoSec addicted

Swascan Team

[email protected]

Discover more about Swascan

Swascan uncovers Microsoft’s Vulnerabilities
Swascan uncovers Huawei 's vulnerabilities

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.