Lenovo has fixed a security vulnerability in the Lenovo Solution Center (LSC) support tool that could be exploited by attackers to execute code with system privileges and take over the machine.
Lenovo Solution Center (LSC) software is pre-installed by Lenovo on many laptops and desktops, it is used by users to check their system information, manage updates and backups, check battery status, manage registration info and perform hardware tests.
The Lenovo Solution Center application is composed of two main components, the UI and the LSCTaskService service that always runs in the background.
The company released on April 25 the Lenovo Solution Center version 3.3.002 that includes a fix for a local privilege escalation vulnerability reported by Trustwave. The flaw could be exploited by a local Windows user to run malicious code with system privileges and take over the computer.
“Vulnerabilities were identified within LSC’s backend service process that may allow a local user to execute arbitrary code with SYSTEM level privileges. In addition, a cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine. The user’s computer may still be vulnerable even if the LSC user interface is not running.” reads the advisory from Lenovo”
This incident is the last in order of time that is related to flaw affecting software pre-installed by manufacturers on their PCs. In December, another flaw was discovered in the Lenovo LSC application.
It is important to note that in order to apply the fix users should download the latest version manually from the company website.
(Security Affairs – Lenovo, Lenovo Solution Center)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.