====================================================================== = Security Objectives Advisory (SECOBJADV-2008-01) = ====================================================================== Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability http://www.security-objectives.com/advisories/SECOBJADV-2008-01/ AFFECTED: Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3) PLATFORM: Intel / Windows CLASSIFICATION: Trust of OpenSSL Certificate Without Validation (CWE-599) RESEARCHER: Derek Callaway IMPACT: Client-side code execution SEVERITY: High DIFFICULTY: Moderate BACKGROUND System Update(tm) helps you reduce the time, effort, and expense required to support and maintain the latest drivers, BIOS, and other applications for Think or Lenovo systems. It enables you to get the latest updates from the Lenovo support site, or to automatically schedule your system to be updated. http://www-307.ibm.com/pc/support/site.wss/TVSU-UPDATE.html SUMMARY Lenovo System Update allows arbitrary update executables to be downloaded and installed from a rogue server. The Client DLL does not perform certificate chain verification when initiating an SSL connection with the server. Instead, it performs a string comparison on the Issuer field of the X.509 certificate in order to determine if it appears to belong to IBM. After successful SSL negotiation, the client proceeds to download XML files that contain pathnames to EXE files, their sizes, and corresponding SHA-1 hashes (although the XML element defining the SHA value is named "CRC.") If an XML file shows a newer software version than what it is already installed, it downloads the EXE file, calculates its SHA-1 hash and compares it against the one defined in the XML file; if they match, it runs the executable with administrator privileges. ANALYSIS In order to exploit this vulnerability an attacker would create a self-signed SSL certificate with X.509 header values (issuer, common name, organization, etc.) of the real public SSL certificate used by the SystemUpdate server at download.boulder.ibm.com. The attacker would also modify the XML config file for the target package with a new version number, file size, and SHA-1 hash that correspond to a malicious EXE file. In theory, an attacker could inject a completely new package into QuestResponse.xml although this was not tested by Security Objectives. When SystemUpdate attempts to make a connection to the server, the attacker would accept the connection through DNS spoofing, ARP redirection, etc. Users of wireless networks are at high risk because access point impersonation will simplify the attack. Once SystemUpdate makes the connection to TCP port 443, the rogue server negotitates an SSL session with the attacker-created SSL certificate. The rogue HTTPS server will then send the malicious XML and EXE files when SystemUpdate requests the target package. All other requests will be conducted as usual by proxying requests to the real SystemUpdate server or maintaining a mirrored version of it. WORKAROUND One potential work-around is to disable scheduled updates and not execute Lenovo SystemUpdate although this may expose the user to other vulnerabilities since software patches will not be installed. VENDOR RESPONSE ThinkVantage SystemUpdate MR4 is in golden release stage at the time of writing. http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-66956 DISCLOSURE TIMELINE 23-Jan-2008 Discovery of Vulnerability 30-Jan-2008 Developed Proof-of-Concept 02-Feb-2008 Reported to Vendor 19-Feb-2008 Discussed Exploitation 14-Apr-2008 Wrote Patch 18-Apr-2008 Tested Patch 20-May-2008 Released Patch 25-May-2008 Published Advisory ABOUT SECURITY OBJECTIVES Security Objectives is a security centric consultancy and software development corporation which operates in the area of application assurance software. Security Objectives employs methods that are centered on software comprehension, therefore a more in-depth contextual understanding of the application is developed. http://security-objectives.com/ LEGAL Permission is granted for electronic distribution of this advisory. It may not be edited without the written consent of Security Objectives. The information contained in this advisory is believed to be accurate based on currently available information and is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the information is with you.