Security experts at Pen Test Partners (PTP) discovered a privilege-escalation vulnerability in Lenovo Solution Centre (LSC) that exists since 2011.
“A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation.” read the security advisory published by Lenovo. “Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.”
The vulnerability tracked as CVE-2019-6177 could be exploited by attackers to escalate privileges.
The company attempted to downplay the severity of the issue highlighting that the product is no longer supported, even if most of the laptops running of the Chinese vendor, Windows OS, are shipped with the flawed software.
“We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices.” states the post published by Pen Test Partners.
“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control. In this scenario, a low-privileged user can write a ‘
The experts explained that the Lenovo Solution Centre adds a task at “\Lenovo\Lenovo Solution Center Launcher”, which runs with “highest privileges”.
The task created by the LSC runs the LSC.Services.UpdateStatusService.exe binary 10 minutes after a login event.
The binary executed by the scheduled task overwrites the DACL of the Lenovo product’s logs folder, giving everyone in the Authenticated Users
In order to exploit the flaw, attackers have to create a
It is quite easy for an attacker with access to the machine to run arbitrary code with administrator-level privileges.
“Then you log out, log in, and 10 minutes later, the hosts file DACL will be overwritten.” wrote the researchers.
The only way to fix the issue is to
Pen Test Partners criticized the way Lenovo managed the report of the flaw
“But just after their disclosure went out, we noticed they had changed the end of life date to make it look like it went end of life even before the last version was released.”
(SecurityAffairs – Lenovo Solution Centre, hacking)