Menu
Lenovo patches two high severity flaws in PC support tool

Lenovo patches two high severity flaws in PC support tool

The flaws could allow attackers to execute malicious code with system privileges and to kill other processes

Lenovo has fixed two high-severity vulnerabilities in the Lenovo Solution Center support tool that is preinstalled on many laptop and desktop PCs. The flaws could allow attackers to take over computers and terminate antivirus processes.

Lenovo Solution Center (LSC) allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The two new vulnerabilities, tracked as CVE-2016-5249 and CVE-2016-5248 in the Common Vulnerabilities and Exposures database, were found by security researchers from Trustwave. They affect LSC versions 3.3.002 and earlier.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account.

Privilege escalation flaws like this one cannot be used by themselves to compromise computers, but are often used in exploit chains. Due to security improvements in modern operating systems, remote code execution flaws don't always provide attackers with full control over affected systems and need to be combined with privilege escalation vulnerabilities.

Because of the functionality in the LSC.Services.SystemService component, any local user can open a communication pipe to the service and force it to execute arbitrary .NET code. Because this LSC service runs under the LocalSystem account, the rogue code would also be executed with LocalSystem privileges.

The second vulnerability, CVE-2016-5248, allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not. The target process could, for example, belong to an antivirus program or another security product.

Lenovo advises users to upgrade to LSC version 3.3.003. This can be done from the application itself by agreeing to automatic update prompt, from the separate Lenovo System Update utility or by downloading the latest version of LSC manually.

This is not the first time that serious flaws were found in LSC. However, Lenovo seems to be responding to such vulnerabilities in a timely manner by releasing patches and publishing security advisories. In a recent security analysis of the update tools preloaded on computers PC manufacturers, LSC was found to have one of the most secure implementations.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments