The Lenovo Solution Center (LSC) software, preinstalled on millions of Lenovo computers, has detected a privilege escalation vulnerability that could allow an attacker to execute code and gain administrator or SYSTEM privileges on the system under attack.The Lenovo Solution Center tool is designed to diagnose and monitor the status of Lenovo devices. The utility monitors the status of the battery, firewall and checks availability of driver updates. The software is preinstalled on most Lenovo devices, including desktops and laptops.
As researchers at Pen Test Partners explained, the problem (CVE-2019-6177 is related to the DACL (Discretionary Access Control List), that is, Lenovo’s highly privileged process can overwrite file permissions that a low-privileged user can manage.
This vulnerability allows attackers with limited access to a computer to write a hard link to a file to a controlled location.
“The Lenovo process overwrites privileges of such a file, which allows a user with low privileges to manage files that he normally cannot manage. This can be used to execute arbitrary code on a system with administrator rights or system privileges”, – the researchers write.
The vulnerability affects Lenovo Solution Center version 03.12.003. According to the manufacturer, LSC has not been supported since April 2018. However, on Lenovo’s site, the utility is still available for download.
The company acknowledged the problem, but the developers noticed Lenovo’s strange behavior.
“Whilst Lenovo were responsive to this disclosure, when we reported this to them back in May, their LSC download page noted that the tool went end of life in November 2018: But just after their disclosure went out, we noticed they had changed the end of life date to make it look like it went end of life even before the last version was released”, — report Pen Test Partners specialists.
Lenovo own vulnerability advisory states:
“Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018”
Could it be a typo, or were Lenovo trying to cover their tracks? Misleading and strange.
User Review( votes)