Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Lenovo System Update SSL证书验证中间人攻击漏洞
Vulnerability Description
Lenovo System Update是中国联想(Lenovo)公司的一套系统自动更新工具,它包括设备驱动更新、Windows系统补丁更新等。 Lenovo的System Update服务允许从伪造的服务器下载并安装任意升级可执行程序。在与服务器初始化SSL连接的时候客户端DLL没有执行证书链验证,只是对X.509证书的Issuer字段执行了字符串比较以判断是否属于IBM。SSL协商成功后客户端会继续下载XML文件,该文件中包含有到EXE文件的路径名、大小和相关的SHA-1哈希。如果XML文件所显示的软
CVSS Information
N/A
Vulnerability Type
N/A