• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Lenovo System Update Privilege Escalation


Cliff S

Missing my GIF avatars:(
Pro User
Bamberg Germany

Posts
2,393
#1
Lenovo Security Advisory: LEN-2015-011
Potential Impact: Execution of arbitrary code
Severity: Medium

Summary:
Multiple vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities.

Description:
Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility. Lenovo System Update uses a service called SUService.exe to run system updates. As part of the authentication and validation process the service only accepts commands if a valid security token is passed along with the command. Vulnerabilities were discovered on how the security tokens were generated allowing an attacker to run commands. The latest Lenovo System Update release fixes the token authentication flaws.
Other security issues were also addressed in this update.
Mitigation Strategy for Customers (what you should do to protect yourself):
Starting from April 1, 2015, run Lenovo System Update and install the latest version of the application, version 5.06.0034 or later. You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting “About.”
Steps to update:
Lenovo System Update automatically checks for a later version whenever the application is run. Click OK when prompted that new version is available.
To manually update, download the latest version from the following URL.

Product Impact:
The following products may be impacted:

  • All ThinkPad
  • All ThinkCentre
  • All ThinkStation
  • Lenovo V/B/K/E Series
Acknowledgements:
Lenovo would like to thank Michael Milvich and Sofiane Talmat of IOActive for reporting these issues.

Other information and references:


Source: https://support.lenovo.com/us/en/product_security/lsu_privilege
 

My Computer

System One

  • OS
    Windows 8.1 Update Pro in Hyper-V/Windows 10 Pro 64 bit
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Cliff's Black & Blue Wonder
    CPU
    Intel Core i9-9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ZOTAC GAMING GeForce RTX 2080 Ti AMP! Extreme Edition
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Screen Resolution
    1920 x 1080 x 32 bits (4294967296 colors) @ 60 Hz
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> HDD Seagate Barracuda 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    hanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 3 Corsair blue LED fans
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome; IE11
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as a
    Other Info
    Router: FRITZ!Box 7490
    Sound system: Philips Soundbar HTL2160 w/subwoofer

Cliff S

Missing my GIF avatars:(
Pro User
Bamberg Germany

Posts
2,393
#2
Bundleware/ Crapware: This is why I do a clean install on a brand new PC.
 

My Computer

System One

  • OS
    Windows 8.1 Update Pro in Hyper-V/Windows 10 Pro 64 bit
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Cliff's Black & Blue Wonder
    CPU
    Intel Core i9-9900K
    Motherboard
    ASUS ROG Maximus X Hero
    Memory
    32 GB Quad Kit, G.Skill Trident Z RGB Series schwarz, DDR4-3866, 18-19-19-39-2T
    Graphics Card(s)
    ZOTAC GAMING GeForce RTX 2080 Ti AMP! Extreme Edition
    Sound Card
    (1) HD Webcam C270 (2) NVIDIA High Definition Audio (3) Realtek High Definition Audio
    Monitor(s) Displays
    BenQ BL2711U(4K) and a hp 27vx(1080p)
    Screen Resolution
    1920 x 1080 x 32 bits (4294967296 colors) @ 60 Hz
    Hard Drives
    C: Samsung 960 EVO NVMe M.2 SSD
    E: & O: Libraries & OneDrive-> Samsung 850 EVO 1TB
    D: Hyper-V VM's -> Samsung PM951 Client M.2 512Gb SSD
    G: System Images -> HDD Seagate Barracuda 2TB
    PSU
    Corsair HX1000i High Performance ATX Power Supply 80+ Platinum
    Case
    hanteks Enthoo Pro TG
    Cooling
    Thermaltake Floe Riing RGB TT Premium-Edition 360mm and 3 Corsair blue LED fans
    Keyboard
    Trust GTX THURA
    Mouse
    Trust GTX 148
    Internet Speed
    25+/5+ (+usually faster)
    Browser
    Edge; Chrome; IE11
    Antivirus
    Windows Defender of course & Malwarebytes Anti-Exploit as a
    Other Info
    Router: FRITZ!Box 7490
    Sound system: Philips Soundbar HTL2160 w/subwoofer

Users Who Are Viewing This Thread (Users: 0, Guests: 1)