Vulnerabilities > CVE-2008-3249 - Credentials Management vulnerability in Lenovo Thinkvantage System Update 3.13
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
| NASL family | Windows |
| NASL id | THINKVANTAGE_SYSTEM_UPDATE_3_14.NASL |
| description | The remote host is running ThinkVantage System Update, a software distribution tool for Lenovo computers. The version of System Update installed on the remote host reportedly does not perform certificate chain verification when initiating an SSL connection with an update server. An attacker who could redirect connections to a malicious server could leverage this issue to send specially crafted XML and EXE files in response to requests from System Update, which would then lead to arbitrary code execution. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 32443 |
| published | 2008-05-28 |
| reporter | This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/32443 |
| title | ThinkVantage System Update < 3.14 SSL Certificate Issuer Spoofing |