back to article Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware. Delete it now

Not only has a vulnerability been found in Lenovo Solution Centre (LSC), but the laptop maker fiddled with end-of-life dates to make it seem less important – and is now telling the world it EOL'd the vulnerable monitoring software before its final version was released. The LSC privilege-escalation vuln (CVE-2019-6177) was …

  1. Anonymous Coward
    Anonymous Coward

    EOL Dates

    With the issue about Chromebooks earlier this week and now with Lenovo's, there has to be some comeback for the poor sods who part with hard earned cash for these things.

    I forsee more and more makers of stuff using this as a easy of getting out of support issues.

    Why aren't there a gazillion class actions being filed every day over this crapshoot?

    1. Pascal Monett Silver badge

      Re: Why aren't there a gazillion class actions being filed every day over this crapshoot?

      Because the lawyers are the only ones who benefit ?

    2. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    "not uncommon"?!

    This would have been very uncommon at any of the several large shops for which I've worked. EOSL is the very last date (usually well after LOD, LSD, and EOL) in the product lifecycle, not merely the final nail in the coffin but the final placement of sod atop the long-filled grave. It's preannounced, by reputable vendors, years in advance, and once that date rolls around that product is dead as dead can be. No more spares, upgrades, or patches, not even for major security problems (certainly not, as in this case, to introduce them!). The date may be delayed if there is outcry or good reason, but once it rolls around and EOSL is formally announced, that's all she wrote. The source code will be off on tape, or escrowed, or both, the last of the media packs will have been destroyed or handed out as souvenirs, the last of the manuals and spares will have been sold off into surplus, training materials destroyed or at the very least archived and certainly no longer part of the SOP for Service, defect tracking categories frozen and archived, and so on. Further support not only won't be offered, it isn't even possible without enormous expenditure.

    This has become typical corporate behaviour: screw the pooch, get caught, cheat your customers instead of making it right, get caught again, then lie about it because in for a penny in for a pound. Die, Lenovo.

    1. Nate Amsden

      Re: "not uncommon"?!

      Certainly is not a hard rule for everyone.

      https://www.theregister.co.uk/2019/05/15/may_patch_tuesday/

      MS released XP patches recently.. (wasn't the first time)

      There was a security bug in a Sonicwall product I manage that went end of life earlier this year and they still patched it.

      Cisco released patches for ASA firewalls about 10 months after end of life, one from may 2019 is:

      https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190501-asa-ipsec-dos.html

      But you need a support contract, and you can't get a new one anymore(tried earlier this year for an old ASA that is now being retired in the next couple of weeks previous network engineer didn't feel support was needed because they were unlikely to fail- didn't consider security patches)

      I agree what Lenovo did is stupid, but it seems like the software is far from critical and it won't hurt anyone to simply remove it. I'm sure it's on the windows partition of my P50, but that doesn't get booted often maybe 2-3 times a year.

  3. Dvon of Edzore
    Facepalm

    I see pointing fingers in your future

    "____________ started it!!"

    Fill in the blank with your choice of tech vendors and proclaim in the voice of an aggrieved child. Yep, AC, the marketplace has supplanted the bazaar of excellence with the sandbox of short term thinking. Forget California's Prop. 65 warning, the whole industry needs to be marked Adult Supervision Required.

  4. wayne 8

    Lenovo

    Blow Windows away as soon as any laptop is in my hands.

    My tower was a bare metal purchase. It has only known Linux.

    1. Authentic Name

      Re: Lenovo

      But beware bootloaders, controllers, ILO and other code soldered onto the mobo.

    2. Dan 55 Silver badge

      Re: Lenovo

      So now you only have to worry about the EFI, ME, AMT, and probably something else running on the as yet undiscovered ring -50 because CPUs these days are like Inception.

      1. Jamesit

        Re: Lenovo

        "So now you only have to worry about the EFI, ME, AMT, and probably something else running on the as yet undiscovered ring -50 because CPUs these days are like Inception."

        If you're concerned about that you could run Coreboot. coreboot.org

        "coreboot is an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems. As an Open Source project it provides audit ability and maximum control over technology."

        1. whitepines

          Re: Lenovo

          Not really. It's derisively called "shimboot" for a reason, and that's because Intel and AMD decided to force all that lower level signed crap and not allow anyone to get documentation or even rip out the unwanted parts entirely. The ME and PSP are literal digital nannies, not to be removed or reprogrammed with unapproved code under any circumstances.

          For added fun I just read a post from the past day or so on their own coreboot mailing list (was browsing to see how they handle the PSP), with the developers concerned about the ratio of binary code to open source on these modern computers being something terrible like 8:1. That's 1 bit of open code for every 8 bits of proprietary code, and makes me wonder just where they get off making the claims you quoted above. Maybe for obsolete decade old machines?

          Look into one of the open chips (i.e. not Intel or AMD) if you truly want to get away from that. Both RISC-V and now Power are open ISA and if you choose carefully you can select chips that you actually own with open firmware. Just be wary of manufacturers that claim open firmware when they also require various closed source bits to run at all. Lots of sharks in these waters still!

          1. Updraft102

            Re: Lenovo

            Yes, it's presumably called shimboot because it uses a shim to boot. I am not familiar with the specific reference you're making, but there's nothing nefarious or sinister about using a shim, and it doesn't have to do with AMD and Intel executives meeting in dark rooms with Microsoft executives to plan how to screw their customers.

            Microsoft required Secure Boot as an option with the beginning of the Windows 8 era. When you're the 800 lb. gorilla in the room, you can demand things like this and expect results. If Secure Boot was in and of itself bad, I'd be carrying a torch and pitchfork myself; I have no love for Microsoft, and I gave up Windows more than a year ago.

            When the Windows OS is installed (generally by the OEM), it installs its signed bootloader. When the OS boots, it looks for the bootloader signed with its Microsoft keys, validates it with the keys stored in the UEFI image, and if they are not valid (like if the bootloader has been altered), it refuses to boot. It's a joint effort between the UEFI firmware and the OS; both have to be Secure Boot enabled for it to work.

            Other OS vendors are free to do the same thing and sign their own bootloaders with their own keys, and they have. The only thing is that the OEMs and/or firmware vendors don't think it's worth their while to include the non-MS keys in the UEFI image to be able to validate the bootloaders. Each major Linux distro has its own keys, and while some (Mint, KDE Neon, etc.) use the same bootloader and keys as their upstream (Ubuntu, in this case), others don't, and this entire array of bootloader keys, along with the distros that don't do secure boot, collectively make up 2% of the PC market, as opposed to Microsoft's 88%.

            This is why distros like Ubuntu use a shim. The shim has the Microsoft signature, so Secure Boot even without the Ubuntu key in the firmware works, and the shim looks for the Ubuntu signature in its bootloader, then chainloads it if everything is in order.

            That's why Microsoft is in the loop when we're talking about installing OSes that have nothing to do with Microsoft. It allows OS vendors like Canonical to use secure boot with hardware that only looks for the Microsoft key.

            I imagine that Microsoft's motivation for assisting Ubuntu and other Linux distros that have MS-signed shims is to avoid any more anti-trust scrutiny than they already deserve. I don't think for a moment MS does it to be nice, but the point is that they do allow the MS signature to be used to load non-MS operating systems, so users of Ubuntu and other major distros that have these shims can benefit from Secure Boot on any PC that has it (since they all work with MS keys).

            Of course, if you don't want to mess with any of this, you can just turn secure boot OFF and not worry about it. I wouldn't accept a PC that will not allow me to disable secure boot, but its mere presence isn't an affront to me either. I use it on all of my Linux machines new enough to have the capability (my desktop has UEFI but no support for Secure Boot). If something changes my bootloader without my knowledge, I want it to stop and tell me something has gone wrong rather than just loading some rootkit (which is something of a shim itself!) and pretending everything is fine. And if Microsoft ever does what the pessimists fear and one day stops signing Linux shims, I can just turn secure boot off.

            1. whitepines

              Re: Lenovo

              Respectfully I think you missed the point by rather a large margin.

              First, shimboot refers to the fact that it's just a bunch of shims used to glue the large binary programs that do the real work together. A glorified orchestra conductor that doesn't play an instrument as it were.

              Second, the keys used to control the OS boot keyring are the problem. You're looking at the tip of the iceberg, the nice sanitized UI that makes you think you have control when you don't. If you want a real eye opener look into the Intel ME and AMD PSP, along with Boot Guard and such. Then look into the master keys that control the keyring you look at in the EFI configuration panel -- hint, they're not yours...

              1. Alan Brown Silver badge

                Re: Lenovo

                "If you want a real eye opener look into the Intel ME and AMD PSP, along with Boot Guard and such."

                It would be a "pity" if the source code for what's in those were to leak into the big wide world. A real "pity"

        2. Anonymous Coward
          Anonymous Coward

          Re: Lenovo

          Nice idea, but the support for boards is limited.

          1. Hans 1
            Thumb Up

            Re: Lenovo

            Great, you are volunteering to help us, then !

            Thanks, what motherboards do you have ? Are you familiar with chipsets, chips, and flashing bioses ?

        3. Alan Brown Silver badge

          Re: Lenovo

          "If you're concerned about that you could run Coreboot. coreboot.org"

          Except that EVEN THAT can't deal with the embedded parts of the firmware and Intel nicely introduced deadman switches into the boot code binary blobs - if you deliberately disable ME/AMT via a bios code tweak the machine will shut down after a few minutes (don't forget it's always there even if vPro isn't visible)

          AMD is suspected of having done similar things.

    3. Terry 6 Silver badge

      Re: Lenovo

      So what!

      It's not about you. Your comment adds nothing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lenovo

        "It's not about you. Your comment adds nothing."

        Yet your comment adds so much more to the message boards.

        (You must be fun at parties.)

        1. Terry 6 Silver badge
          Flame

          Re: Lenovo

          Bullshit AC!

          This was a thread about an issue.

          Side issues are welcome, if they come out of a main thread. That's what makes El reg fun.

          (I'd guess you don't get to many parties).

          But smug "This doesn't affect me because I'm better" comments are of no interest to any one other than the poster (and maybe a few equally smug like minded individuals).

          But your comment was no different to the sort of crap that wrecks tech forum threads by posting something that says, in effect, "I don't have that issue, because I know more than you" when someone has asked for help. It's trolling. And El Reg has been mercifully free of that, by and large.

          It helps no one, and amuses no one. Except other trolls like you. AC trolls. Pathetic.

    4. Anonymous Coward
      Anonymous Coward

      Re: Lenovo

      Linux worshipers fail to understand that whenever Linux is broadly preinstalled on systems it will get the same crapware treatment. Nothing forbids to install crap daemons running as root.

      Sure, you can obliterate the installed software and make a clean installation, techies will do that and the masses eager to use the new toy won't. Just look at what comes preinstalled in most Android phones...

      1. Long John Brass
        Devil

        Re: Lenovo

        That's true; But that's true for most kit from most vendors. Back in the day as a Solaris admin; I immediately wiped and reinstalled Solaris on any box I got from Sun or their Vars... Not because I didn't trust them; But I usually had requirements for disk layouts etc that differed from the factory one

        1. Anonymous Coward
          Anonymous Coward

          Re: Lenovo

          I don't trust anybody, not even Microsoft, but I'm stuck with any bloatware from MS because I don't (or didn´t) know any better.

          Last vendor-installed machine I had, would FREEZE if I tried to change the CLOCK (Win 95 era). Complete crash, not even ctrl-alt-del worthy. Had to reinstall it from scratch.

      2. Updraft102

        Re: Lenovo

        Linux worshipers fail to understand that whenever Linux is broadly preinstalled on systems it will get the same crapware treatment. Nothing forbids to install crap daemons running as root.

        That would indicate widespread adoption of Linux and the presence of enough commercial software on the platform to make crapware worth the hardware OEM's while. Wouldn't that mean the proverbial "year of the Linux desktop" had finally come?

        I'd find that an acceptable trade-off. After all, as a home user, I am probably not going to want the distro/DE they put on there anyway, nor is their partitioning scheme likely to be what I want. As was the case in my Windows days, I'd end up wiping it and putting my own OS on there anyway. The only real advantage of a PC with preinstalled Linux for me would be the knowledge that I didn't enrich Microsoft and that the device's various components have Linux drivers (which is something I would find out during the return period on any new machine anyway).

        I've never had a PC with preinstalled Linux, but all of the anecdotes from those who have bought such things have said they had no crapware. I am also told Apple Macs don't have crapware. Until the year of the Linux desktop happens, crapware remains primarily a Windows problem, within the PC sphere at least.

        1. Anonymous Coward
          Anonymous Coward

          "crapware remains primarily a Windows problem"

          No, I just pointed out Android suffers exactly the same problem, and even worse, you can't easily install a clean version, nor remove some applications.

          It's a problem when an OS becomes broadly used, and is open enough to allow for such kind of behaviour.

          None of the crapware is Windows intrinsic not made mandatory in any way by Windows - Microsoft itself got tired and promoted the sales of "clean" systems. And after the antitrust rules, it would have a very hard time to forbid OEMs to install anything.

          macOS/iOS don't have the problem because devices are sold only by Apple itself, so it doesn't need to differentiate nor find a way to slurp user data it can't otherwise.

          If the "year of the Linux desktop" ever comes, we could risk even OEMs customized distros....

          1. Nick Ryan Silver badge

            Re: "crapware remains primarily a Windows problem"

            None of the crapware is Windows intrinsic not made mandatory in any way by Windows - Microsoft itself got tired and promoted the sales of "clean" systems. And after the antitrust rules, it would have a very hard time to forbid OEMs to install anything.

            Apart from, of course, all the crap apps that Microsoft foists onto systems using the windows 10 app store. Games, crap and pointless media applications, social media junk - all pre-installed and often repeatedly re-installed in an entirely opaque manner. Then there come the "recommendations" and the utterly useless and detrimental cortana which is more concerned about sending data and recommendations from the same app store that even finding a locally installed application is hit and miss.

            The same old OEMs still pre-load their systems with a load of crap ware. I do what I have done for years: delete all partitions and install from scratch using vanilla windows media.

            1. Alan Brown Silver badge

              Re: "crapware remains primarily a Windows problem"

              "often repeatedly re-installed in an entirely opaque manner"

              This part grates heavily. If I remove a bunch of stuff (gemdrop and other stupid games) I _DO NOT WANT_ them coming back like ghost farts in an elevator.

            2. Terry 6 Silver badge

              Re: "crapware remains primarily a Windows problem"

              Yup.

              I happen to like a nice clean, organised Start menu. Software titles grouped into folders according to function. Apart from anything else, I don't always remember what I have (like assorted freeware graphics programmes I might be trying out) and some titles are far removed from their function. So...

              I do not want 3d Paint, Microsoft Edge,Connect etc etc. stuck in an alphabetical list between my useful category folders.

              Especially since I don't want them at all anyway.

              The whole marketing philosophy of force a programme under the punters' noses drive me loopy. When I go into a restaurant I don't expect the waiter to stick a plate of sausages in front of me when I sit down.

        2. Anonymous Coward
          Anonymous Coward

          Re: Lenovo

          "The only real advantage of a PC with preinstalled Linux for me would be the knowledge that I didn't enrich Microsoft..."

          Sorry! Every PC being sold today contains lots of Microsoft firmware that you can't remove or replace. Most notably, UEFI contains what is essentially a variant of MS-DOS, and Microsoft gets royalties from it for every PC made (presumably this includes Macs although I'd be happy for someone who actually knows for certain to comment). It was a very clever move on their part to guarantee themselves eternal revenue even if the entire market shunned Windows forever.

      3. Alan Brown Silver badge

        Re: Lenovo

        "Just look at what comes preinstalled in most Android phones..."

        And look at the lengths that Android phone makers go to, in order to prevent the users from getting control of their own devices.

      4. Anonymous Coward
        Anonymous Coward

        Re: Lenovo

        I don't care about other people and their tech hygiene. I make a living out of people being tech illiterate. I just want better Linux support.

        Getting pre-installed Linux only helps improve hardware support. Bloatware or not, it's still a win.

        Besides, in a Linux environment the techies are more feverish.

        When MS added advertising tracking into Windows not a single Windows fanboy blinked. When Ubuntu embedded Amazon search Linux fanboys lost their shit.

        Given the importance of operating systems these days, I think they should be produced by non-profit businesses and certain practices should be standardised to prevent manufacturers embedding crapware.

        Quite why a hardware manufacturer is tinkering with the OS software is beyond me. There should be an incentive for keeping the OS clean.

        I can't help but blame MS in part for this type of thing. Lenovo has to get the license cost back somehow.

        Price gouging is becoming a massive problem in tech as well.

        I don't know a single sensible person that maxes out the spec of something at checkout.

        You buy the model with a tiny cheap SSD and 8GB RAM then when it arrives, you upgrade it yourself. Usually saves hundreds of pounds...and in the case of Lenovo, doesn't void your warranty.

      5. Anonymous Coward
        Anonymous Coward

        Re: Lenovo

        No. But it's a lot easier to remove them.

    5. Anonymous Coward
      Anonymous Coward

      Re: Lenovo

      I am a great believer in Linux. We use it extensively at my place or work.

      I don't see what this particular issue has to do with the choice between Windows and Linux. It would be possible to write a crappy piece of code in Linux that could do such a thing just as in Windows.

  5. VinceH
    Facepalm

    Optional

    We have asked Lenovo why they changed the EOL date on the Lenovo Solution Centre page to make it look like they were releasing updates for a product they had already EOL'd.

    And it looks to me as though the question they answered was "Why are you releasing updates for a product after its EOL?"

    1. Alan Brown Silver badge

      Re: Optional

      "the question they answered was "

      Yup.

      "That's a very nice answer minister, very well spoken and obviously well rehearsed - but it's not an answer to the question I asked. Please answer the question."

  6. karlkarl Silver badge

    All this mucky Win32 OEM / Out-of-the-box software. Why does it still exist.

    1. Terry 6 Silver badge

      Because money.

      Commercial organisations exist for money.

      And if putting stuff on your computer brings in the stuff that's what they'll do.

  7. tech_is_BS

    Lenovo crapware

    I mistakenly bought a Lenovo laptop in 2018. The first thing I did after setting it up was to remove all Lenovo-branded spyware. But then I had to send it to the Lenovo service center TWICE because of hardware failures. It's running smoothly now (knock on wood) but I'll never buy another Lenovo device. Ever.

    1. Updraft102

      Re: Lenovo crapware

      Anecdotes are not data. Anyone can get a bad example of a good product or a good example of a bad one. You have to look for overall failure rates to get an idea of which vendors have the best products, and other factors play a role too. Louis Rossman (of Youtube fame, sort of) has talked at length at how Apple goes out of its way to deny warranty service to customers of its high-priced products, using moisture sensors on its boards that have no other function than to deny warranty coverage to Apple customers, while Lenovo takes customer satisfaction more seriously, having no trouble repairing PCs the customer tells them in advance are liquid damaged under warranty.

      I've never had a Lenovo and I don't know that I will ever have one, but I wouldn't base a future buying decision it on one bad hardware incident. They all turn out a certain percentage of lemons.

      Crapware is a little different... if it is Superfish or the like, which Lenovo was guilty of a few years ago, that's getting into the "no way" territory, but regular crapware helps subsidize the Microsoft tax, and it's all going to be wiped to put a usable OS on there anyway (which Windows 10 is not).

      1. Halfmad

        Re: Lenovo crapware

        Years ago I use to run IT for a group of schools, during build up to the summer holidays I'd order in PCs to replace existing but ageing ones, I'd always order 2-3% more than needed. When asked why - I explained to management that we expected at least a 1% failure rate on either the base unit or monitor and as the rooms had a fixed number of PCs needed per class, (typically 20 + 1 teacher) we had to ensure those were identical and working. The only way to avoid being a few down, as these would be installed right up until the day before students came back was the over-order and have the faulty units RMA'd and used elsewhere in the schools e.g. admin areas when they came back, the "extra" PCs would be used after all, no money wasted.

        Took them a while to get to grips with it but as it was an operational thing and we typically got a larger discount by ordering in greater numbers they were OK with it. As you said singular experiences aren't really helpful. I'd be ordering 1500-1600 PCs for every summer, some years were better than others depending on who we were forced to buy from (Dell/HP etc) but failure rates were always around 0.8-1.1% typically PSU related or damage en-route.

        1. Luiz Abdala

          Re: Lenovo crapware

          I relate to that fact about percentages.

          I went into a notebook repair shop, and they had a STACK of HP notebooks, up to my waist. All identical model, all with their Nvidia graphics chips fried (back then, you'd know which one) in the exact same fashion.

          A customer walks in, that exact model, with a damaged keyboard. (lucky bastard.) Eavesdropping while the technician writes a receipt, I understand he customized the cooling by himself, so that's why it hadn't fried and was still working smoothly.

        2. Alan Brown Silver badge

          Re: Lenovo crapware

          "Took them a while to get to grips with it"

          I found a simple solution: "OK, I'd like you to sign HERE on this document to say that you've had the necessity for onsite operational spares explained to you, that you've declined to allow for this in planning and that you take on full fiscal/legal responsibility for the consequences of this decision."

          Get it witnessed.

          And if they refuse to sign off on it, make a note of that too and have it witnessed (and recorded) - because when spinny thing and fecal matter intersect this is the kind of slippery fucker who will go out of their way to make it someone else's (your) fault, or fire you for "not respecting their authoritah" - and then blame you for the shitfest because you're no longer there. (which can have devastating employment consequences - slander is a serious issue, so keep this stuff recorded)

          As an ISP, I fired a couple of customers and _never_ felt guilty about it.

          One I specifically warned not to put NT4 systems directly on the Internet without a bastion due to its documented hackability tried to smear me amongst local businesses by painting my warning as a threat to hack their networks - they lasted about 6 weeks on their new ISP before being utterly reamed and having all their business records stolen (they were a successful pharmaceutical manufacturer) - the company never recovered and was taken over by a multinational drug company shortly afterwards. The "Consultant expert" they'd used was cut loose and went on to wreak havoc in a number of other companies - apparently because people don't talk to each other or because a condition of leaving is a glowing reference (which is why I treat such things as suspect).

          It's funny when a client who leaves because you refuse to be "flexible" about poor security practices comes back and begs to be reconnected, having worked his way around the available competition. It gave quite a bit of leverage in insisting that they cleaned house. (back in those days as an ISP you paid a hefty penalty for hacked clients as a few of them would invariably trash your bandwidth - so policing it was in your own interests)

      2. Alan Brown Silver badge

        Re: Lenovo crapware

        "Anecdotes are not data."

        Correct, however the hardware failure rate in our Lenovos approaches that of Macs and that takes some doing.

  8. sw guy

    What hardlink ?

    With the description done in story, I would have call that thing a softlink

  9. Triumphantape

    Always format and fresh install minus the bloatware, always.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like