Tag: LEN-2015-020

Lenovo Service Engine

~ hucktech ~ Leave a comment

A bit more on this topic from yesterday:

Lenovo LSE, WPBT and wpbbin.exe


Lenovo has a response:

Lenovo Statement on Lenovo Service Engine (LSE) BIOS
http://news.lenovo.com/article_display.cfm?article_id=2013

There are more news agencies reporting on this story:
http://thetechportal.in/2015/08/12/lenovo-in-a-soup-for-secretly-downloading-update-and-software-even-after-system-wipe/
http://gadgets.ndtv.com/laptops/news/lenovo-covertly-downloading-installing-software-on-its-windows-pcs-reports-727109

Lenovo once again in hot waters over Lenovo Service Engine BIOS


http://thenextweb.com/insider/2015/08/12/lenovo-used-a-hidden-windows-feature-to-ensure-its-software-could-not-be-deleted/

Yuck, is each OS vendor using UEFI as a crutch? I wish the Linux Foundation (or some other group) has advise for chip vendors, IBVs, IHVs, and pre-OS ISVs on how to use Linux properly on UEFI systems. It should require that this Windows-centric BIOS code to NOT be present on a Linux system. What other OS-specific crud is in my closed-source BIOS?!

Lenovo LSE, WPBT and wpbbin.exe

~ hucktech ~ 3 Comments

UPDATE: See-also:

WPBT attacks from the past: Alex at SyScan12

What’s the next built-in ACPI attack?

US-CERT: Lenovo Service Engine (LSE) BIOS Vulnerability

Lenovo Service Engine

An interesting find, potentialy scary if misused. See the Ars Technical and YCombinator stories for discovery. What is Windows’ ‘wpbbin.exe’, and how/when is it used? There’s one reference to it on Microsoft.com in a DOC related to WPBT, the Windows Platform Binary Table. From one document no longer on the Microsoft web site (saved in Google cache, found on the Ars article):

A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools.  However, there is a small set of software where the tools are not enough.  The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity.  This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table. The information provided here was originally published in conjunction with the availability of Windows 8. The guidance and requirements to use WPBT functionality has been updated for the Windows 10 timeframe.

https://www.google.com/?gws_rd=ssl#q=wpbbin.exe+site:microsoft.com
http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=ddf3e32512932172454de515091db014#p29497693
https://news.ycombinator.com/item?id=10039870
https://lkml.org/lkml/2015/5/20/1155
https://www.microsoft.com/en-us/download/details.aspx?id=38405

Found while researching the above: Lenovo has security updates for LSE:

LEN 2015-077: Lenovo Service Engine (LSE) BIOS for Desktop
LEN-2015-020: Lenovo Service Engine (LSE) BIOS for Notebook

Lenovo Security Advisory: LEN-2015-020
Potential Impact: Privilege Escalation
Severity: High
Summary: Vulnerabilities have been identified in the Lenovo Service Engine (LSE). Lenovo has released a BIOS update to disable Lenovo Service Engine and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10. See below for a full list of notebook systems with LSE installed. 

https://support.lenovo.com/us/en/product_security/lse_bios_notebook
https://support.lenovo.com/us/en/product_security