Lenovo servers contained major security vulnerabilities

• A total of nine vulnerabilities were found across the company's servers. Out of them, two were classified as high-risk flaws.
• The vulnerabilities included use-after-free issues, command injection flaw, improper authentication, and other flaws.

Servers used to Lenovo’s infrastructure were identified having security vulnerabilities that could have compromised systems on a large scale. Discovered by security researchers from Swascan, the servers had nine major flaws out of which two were classified as high-risk. The rest seven were rated as medium risk flaws. Lenovo has fixed some of the vulnerabilities after Swascan notified them.

Key highlights

• The flaws discovered in Lenovo servers mainly included use-after-free issues, command injection flaw, improper authentication among others.
• Swascan researchers suggest that successful exploitations of these flaws could compromise Lenovo systems.
• Some of the resolved vulnerabilities are CWE-476 (Null Pointer dereferencing), CWE-119 (buffer errors), CWE-416 (use-after-free), CWE-78 (OS command injection), CWE-20 (improper input validation), and CWE-287 (improper authentication).
• These flaws could allow arbitrary code execution, alter the intended control flow, read sensitive information, or cause systems to crash.

What was the response?

Swascan, which collaborated with Lenovo to fix the issues in the servers, praised the Chinese computer manufacturer’s involvement in the resolution.

“These vulnerabilities, if exploited, could have impacted the integrity, availability, and confidentiality of the systems. For this very reason, Swascan immediately contacted the Lenovo Security Department, whose professional response was among the best we’ve encountered, leading to a fruitful collaboration and resolution of the identified vulnerabilities,” Swascan said in a blog.

Previously, Swascan had identified multiple vulnerabilities in products related to Adobe and Microsoft.