Lenovo System Update Privilege Escalation

Cliff S

Missing my GIF avatars:(
Pro User
Messages
2,467
Location
Bamberg Germany
Lenovo Security Advisory: LEN-2015-011
Potential Impact: Execution of arbitrary code
Severity: Medium

Summary:
Multiple vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities.

Description:
Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility. Lenovo System Update uses a service called SUService.exe to run system updates. As part of the authentication and validation process the service only accepts commands if a valid security token is passed along with the command. Vulnerabilities were discovered on how the security tokens were generated allowing an attacker to run commands. The latest Lenovo System Update release fixes the token authentication flaws.
Other security issues were also addressed in this update.
Mitigation Strategy for Customers (what you should do to protect yourself):
Starting from April 1, 2015, run Lenovo System Update and install the latest version of the application, version 5.06.0034 or later. You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting “About.”
Steps to update:
Lenovo System Update automatically checks for a later version whenever the application is run. Click OK when prompted that new version is available.
To manually update, download the latest version from the following URL.

Product Impact:
The following products may be impacted:

  • All ThinkPad
  • All ThinkCentre
  • All ThinkStation
  • Lenovo V/B/K/E Series
Acknowledgements:
Lenovo would like to thank Michael Milvich and Sofiane Talmat of IOActive for reporting these issues.

Other information and references:


Source: https://support.lenovo.com/us/en/product_security/lsu_privilege
 

My Computer

System One

  • OS
    Windows 8.1 Update Pro in Hyper-V/Windows 10 Pro 64 bit
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Cliff's Black & Blue Wonder
    CPU
    Intel Core i9-9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Screen Resolution
    1920 x 1080 x 32 bits (4294967296 colors) @ 60 Hz
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> HDD Seagate Barracuda 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    hanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 3 Corsair blue LED fans
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome; IE11
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as a
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR
Bundleware/ Crapware: This is why I do a clean install on a brand new PC.
 

My Computer

System One

  • OS
    Windows 8.1 Update Pro in Hyper-V/Windows 10 Pro 64 bit
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Cliff's Black & Blue Wonder
    CPU
    Intel Core i9-9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ASUS GeForce RTX 3090 ROG Strix O24G, 24576 MB GDDR6X
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Screen Resolution
    1920 x 1080 x 32 bits (4294967296 colors) @ 60 Hz
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> HDD Seagate Barracuda 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    hanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 3 Corsair blue LED fans
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome; IE11
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as a
    Other Info
    Router: FRITZ!Box 7590 AX V2
    Sound system: SHARP HT-SBW460 Dolby Atmos Soundbar
    Webcam: Logitech BRIO ULTRA HD PRO WEBCAM 4K webcam with HDR
Back
Top