Magazine Tecnologia

Lenovo Companion app doesn’t notify you about security updates to TPM firmware

Creato il 22 dicembre 2017 da Promptpc
Lenovo Companion app doesn’t notify you about security updates to TPM firmware

Lenovo Companion app doesn't notify you about security updates to TPM firmware

New Lenovo devices come pre-installed with the Lenovo Companion; an app that manages device maintenance and warranty, and is responsible for updating your Lenovo drivers, firmware, and software. However, the Companion app doesn't take its responsibility too seriously and fails to notify you about security updates to your device's firmware.

My partner bought a new Lenovo ThinkPad Carbon X1 (5 gen.) and I may have seized it so I could compare it to my old first generation model. One of the differences I noticed was that it had the new Lenovo Companion app, the modern replacement for the old Lenovo OneKey Optimizer app I reviewed back in .

At first glance, I was quite pleased to see that Lenovo Companion now actually finds, downloads, and installs updates to Lenovo drivers, firmware, and software. The Companion app organizes available updates in three categories: Critical, Recommended, and Optional. Two restarts and a couple of minutes later, I thought I'd gotten every available firmware update in one go. It turns out, that wasn't the case despite this reassuring message in the Lenovo Companion app:

"No updates are available. Your system is up-to-date."

On closer inspection, I also noticed a box down in the bottom right corner labled "Additional updates" that links you off to the product support page for your product on Lenovo's website. I found three additional updates available, but the one that caught my interest was the only update in the "Security" section. I found a security update for the trusted platform module (TPM) firmware that addressed a vulnerability in its random number generator (CVE-2017-15361 or "ROCA"). The vulnerability allows attackers to extract the TPM's private encryption keys, and thus gain the ability to decrypt e.g. BitLocker Device Encryption that protects Windows by default on this device.

Lenovo Companion app doesn’t notify you about security updates to TPM firmware

Neither Windows Update nor Lenovo Companion nor automatically installed or informed me about the availability of this security update. Windows Update did actually kind-of-but-not-really address this issue with an update that added a notice about the outdated firmware in the Windows Trusted Platform Module (TMP) Management utility. I doubt many users (if any) ever open this program, and even fewer would notice the update-prompt that Microsoft have hidden there.

Advertisement

"Applying TPM firmware update will erase information stored in the TPM chip. In case customer uses any software (such as disk encryption software) which stores created keys to TPM chip, customer needs to stop using those software temporarily before applying TPM firmware update. This tool has the built-in function to suspend Microsoft BitLocker during TPM firmware update, for other software, customer needs to follow the instructions of software to avoid the data loss."


Sources

  • ADV170012: Vulnerability in TPM could allow Security Feature Bypass, , Security TechCenter, Microsoft
  • LEN-15552: RSA Keys Generated by Infineon TPMs are Insecure, , Lenovo Product Security Advisories, Lenovo
  • CVE-2017-15361 Detail, , US National Vulnerability Database, Information Technology Laboratory, US National Institute of Standards and Technology
  • TPM Firmware Update Utility README, , Lenovo
  • Drivers and Software, X1 Carbon 5th Gen - Kabylake (Type 20HR, 20HQ) Laptop (ThinkPad) 20HR0022MX, Lenovo Support, Lenovo

Potrebbero interessarti anche :

Ritornare alla prima pagina di Logo Paperblog

Possono interessarti anche questi articoli :