Cisco fixed a dangerous vulnerability in user’s interface of its IOS XE product that allows…
As researchers at Pen Test Partners explained, the problem (CVE-2019-6177 is related to the DACL (Discretionary Access Control List), that is, Lenovo’s highly privileged process can overwrite file permissions that a low-privileged user can manage.
Read also: Open Source Android Spyware AhMyth Enters Google Play Store
This vulnerability allows attackers with limited access to a computer to write a hard link to a file to a controlled location.
“The Lenovo process overwrites privileges of such a file, which allows a user with low privileges to manage files that he normally cannot manage. This can be used to execute arbitrary code on a system with administrator rights or system privileges”, – the researchers write.
The vulnerability affects Lenovo Solution Center version 03.12.003. According to the manufacturer, LSC has not been supported since April 2018. However, on Lenovo’s site, the utility is still available for download.
The company acknowledged the problem, but the developers noticed Lenovo’s strange behavior.
“Whilst Lenovo were responsive to this disclosure, when we reported this to them back in May, their LSC download page noted that the tool went end of life in November 2018: But just after their disclosure went out, we noticed they had changed the end of life date to make it look like it went end of life even before the last version was released”, — report Pen Test Partners specialists.
Lenovo own vulnerability advisory states:
“Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018”
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…