A new vulnerability has been discovered in Lenovo’s much-maligned Lenovo Solution Center (LSC) software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code, said researchers at Trustwave SpiderLabs.
The flaw allows an attacker to elevate privileges and is tied to the LSC application’s backend. It opens the door for a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context, said Karl Sigler, a SpiderLabs researcher at Trustwave.
LSC comes preloaded on nearly all Lenovo business and consumer desktops and laptop PCs. The software acts as a dashboard monitoring system health and security – from battery life, driver updates and firewall status. Lenovo has issued a fix for the security flaw last week. This is the second time the computer maker has had to patch LSC – the first being December 2015.
“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 it updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” a Lenovo spokesperson told Threatpost.
“This is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack,” Sigler said in an email interview with Threatpost. He said the attack can’t be exploited remotely. “For a malicious insider or for an attacker that already has a foothold in the network, this vulnerability could be used to make that foothold a full gateway to your network,” he said.
Trustwave later today is publicly disclosing details of the vulnerability, found bySpiderLabs researcher Martin Rakhmanov.
This is the second time Lenovo has had to fix security vulnerabilities tied to its LSC software.
Far more serious flaws were originally discovered in LSC software by the hacking group Slipstream/RoL on Dec. 3, 2015. That’s when the group – without forewarning Lenovo of its disclosure – demonstrated a proof-of-concept exploit that allowed a malicious web page to execute code on Lenovo PCs with system privileges.
Hackers demonstrated how they could exploit the LSC’s SerLSCTaskService component, opening up a HTTP daemon via a system port that can receive commands. One of those commands, called RuInstaller, executes files placed in the Local Store folder of the Lenovo PC.
Slipstream/RoL also demonstrated another vulnerability tied to the LSCTaskService. This flaw opened Lenovo systems running the LSC software to cross-site request forgery attacks. In this case, attackers could remotely execute code on Lenovo PCs running the LSC software just by enticing a user to visit a malicious website.
“By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document [such as] a web page or an HTML email message or attachment, an attacker may be able to execute arbitrary code with SYSTEM privileges,” explained a vulnerability note from the DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University.
Blindsided by the Slipstream/RoL exploits, Lenovo responded quickly to the proof-of-concepts issuing a statement at the time: “We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible,” it wrote in a Lenovo Security Advisory. On Dec. 9, 2015, Lenovo updated its version 2.x.x LSC software with version 3.x.x that fixed the problem.
The LSC security flaw is the most recent in a long list of security fumbles that have plagued Lenovo over the past year. In February 2015, Lenovo was put in the security hot seat when researchers discovered a piece of software called Superfish that injected ads on websites and could be abused by hackers to read encrypted passwords and web-browsing data.
Last August, Lenovo again landed in hot water when it was criticized for automatically downloading Lenovo Service Engine software – labeled as unwanted bloatware by many. Worse, when users removed the software Lenovo systems were configured to download and reinstall the program without the PC owner’s consent.