Lenovo High-Severity Bug Found in Pre-Installed Software

lenovo patch

Security researchers at Pen Test Partners have found a privilege escalation flaw in the much-maligned Lenovo Solution Center software.

Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges.

Research come from Pen Test Partners, who found the flaw (CVE-2019-6177) and said the vulnerability is tied to its much-maligned Lenovo Solution Center (LSC) software.

“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” wrote researchers at Pen Test Partners in a technical description of the bug posted Thursday.

Lenovo issued a security bulletin regarding this bug and recommended users upgrade to a similar utility called Lenovo Vantage.

Researchers describe the bug as giving hackers with low-privilege access to a PC the ability to write a “hardlink” file to a controllable location. This “hardlink” file would be a low-privilege “pseudo file” that could be used to point to a second privileged file.

“When the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to,” researchers wrote. “This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or SYSTEM privileges.”

The software’s intended purpose is to monitor the overall health of the PC. It monitors the battery, firewall and checks for driver updates. It comes pre-installed on the majority of Lenovo PCs, including desktop and laptop, for both businesses and consumers.

The problematic version is 03.12.003, which Lenovo said is no longer supported. According to Lenovo, the software was originally released in 2011. Lenovo said LSC been “officially” designated end of life since November 2018. However, a version is still available for download via the Lenovo website.

Lenovo’s LSC software has been a source of many headaches for Lenovo. In 2016, researchers found a similar escalation of privileges bug. In 2015, the hacking group Slipstream/RoL demonstrated a proof-of-concept attack that exploited a LSC bug allowed a malicious web page to execute code on Lenovo PCs with system privileges.

The LSC security flaw is the most recent in a long list of security fumbles that have plagued Lenovo over the past year. In February 2015, Lenovo was put in the security hot seat when researchers discovered a piece of software called Superfish that injected ads on websites and could be abused by hackers to read encrypted passwords and web-browsing data.

Last August, Lenovo again landed in hot water when it was criticized for automatically downloading Lenovo Service Engine software – labeled as unwanted bloatware by many. Worse, when users removed the software Lenovo systems were configured to download and reinstall the program without the PC owner’s consent.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles

BlackBerry Resolves Privilege Escalation Vulnerability in Z10

Last week BlackBerry released a security update resolving an escalation of privilege vulnerability that existed in “BlackBerry Protect” enabled devices running version 10.0.10.261 and earlier operating systems. The company claims that version 10.0.9.2743 is not affected and that they have found no evidence of attackers exploiting this vulnerability in the wild.