- Messages
- 2,467
- Location
- Bamberg Germany
Lenovo Security Advisory: LEN-2015-011
Potential Impact: Execution of arbitrary code
Severity: Medium
Summary:
Multiple vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities.
Description:
Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility. Lenovo System Update uses a service called SUService.exe to run system updates. As part of the authentication and validation process the service only accepts commands if a valid security token is passed along with the command. Vulnerabilities were discovered on how the security tokens were generated allowing an attacker to run commands. The latest Lenovo System Update release fixes the token authentication flaws.
Other security issues were also addressed in this update.
Mitigation Strategy for Customers (what you should do to protect yourself):
Starting from April 1, 2015, run Lenovo System Update and install the latest version of the application, version 5.06.0034 or later. You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting “About.”
Steps to update:
Lenovo System Update automatically checks for a later version whenever the application is run. Click OK when prompted that new version is available.
To manually update, download the latest version from the following URL.
Product Impact:
The following products may be impacted:
Lenovo would like to thank Michael Milvich and Sofiane Talmat of IOActive for reporting these issues.
Other information and references:
Source: https://support.lenovo.com/us/en/product_security/lsu_privilege
Potential Impact: Execution of arbitrary code
Severity: Medium
Summary:
Multiple vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities.
Description:
Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility. Lenovo System Update uses a service called SUService.exe to run system updates. As part of the authentication and validation process the service only accepts commands if a valid security token is passed along with the command. Vulnerabilities were discovered on how the security tokens were generated allowing an attacker to run commands. The latest Lenovo System Update release fixes the token authentication flaws.
Other security issues were also addressed in this update.
Mitigation Strategy for Customers (what you should do to protect yourself):
Starting from April 1, 2015, run Lenovo System Update and install the latest version of the application, version 5.06.0034 or later. You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting “About.”
Steps to update:
Lenovo System Update automatically checks for a later version whenever the application is run. Click OK when prompted that new version is available.
To manually update, download the latest version from the following URL.
Product Impact:
The following products may be impacted:
- All ThinkPad
- All ThinkCentre
- All ThinkStation
- Lenovo V/B/K/E Series
Lenovo would like to thank Michael Milvich and Sofiane Talmat of IOActive for reporting these issues.
Other information and references:
- CVE ID: CVE-*2015-*2219, CVE-*2015-*2233, CVE-*2015-*2234
- IOActive | Labs | Advisories
Source: https://support.lenovo.com/us/en/product_security/lsu_privilege
My Computer
System One
-
- OS
- Windows 8.1 Update Pro in Hyper-V/Windows 10 Pro 64 bit
- Computer type
- PC/Desktop
- System Manufacturer/Model
- Cliff's Black & Blue Wonder
- CPU
- Intel Core i9-9900K
- Motherboard
- ASUS ROG Maximus X Hero
- Memory
- 32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
- Graphics Card(s)
- ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
- Sound Card
- (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
- Monitor(s) Displays
- BenQ BL2711U(4K) and a hp 27vx(1080p)
- Screen Resolution
- 1920 x 1080 x 32 bits (4294967296 colors) @ 60 Hz
- Hard Drives
- C: Samsung 960 EVO NVMe M.2 SSD
E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
G: System Images -> HDD Seagate Barracuda 2TB
- PSU
- Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
- Case
- hanteks Enthoo Pro TG
- Cooling
- Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 3 Corsair blue LED fans
- Keyboard
- Trust GTX THURA
- Mouse
- Trust GTX 148
- Internet Speed
- 25+/5+ (+usually faster)
- Browser
- Edge; Chrome; IE11
- Antivirus
- Windows Defender of course & Malwarebytes Anti-Exploit as a
- Other Info
- Router: FRITZ!Box 7590 AX V2
Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR