Lenovo devices have a years-old security flaw that remained unpatched until recently. As revealed, the preinstalled Lenovo software ‘Lenovo Solutions Center’ has a vulnerability for a long time. Exploiting the flaw could allow an attacker to execute arbitrary codes.
Vulnerability In Pre-Installed Lenovo Software
Researchers from Pen Test Partners have discovered a serious vulnerability in Lenovo’s preinstalled Lenovo Solution Center software. As described in the blog post, they found a privilege escalation bug that could allow arbitrary code execution by an attacker.
Lenovo continued to ship its LSC software preinstalled with all devices since at least since 2011. They later discontinued it officially in late 2018. This means a vast majority of Lenovo devices during this time period bear this flaw.
The researchers observed a discretionary access control list (DACL) overwrite vulnerability. An attacker with low privileges could exploit this flaw to gain access to files accessible by high-privileged users only. As stated in the blog post,
The high-privileged process gives all users on the system full control of that file. In this scenario, a low-privileged user can write a “hardlink” file to the controllable location – a pseudofile which really points to any other file on the system that the low-privileged user doesn’t have control of. When the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to.
Essentially, a low-privileged adversary could even exploit the flaw to execute arbitrary codes with Admin or System privileges.
Lenovo’s Simple Solution: Uninstall LSC
Upon finding this vulnerability, the researchers reported it to Lenovo who acknowledged their effort in their advisory. Describing the vulnerability, Lenovo stated in the advisory,
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation.
To mitigate this vulnerability CVE-2019-6177 with a high-severity impact, Lenovo recommends users simply remove the Lenovo Solution Center software from their device. Since the vendors have already ended support for this tool in 2018, users can move to other tools.
Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.
Take your time to comment on this article.