Crapware: Vulnerability in Lenovo Solution Center

[English]If you have a Lenovo notebook or other Windows system, you should check to see if the Lenovo Solution Center is installed there. If this is the case, you should uninstall this crapware as soon as possible for security reasons.


Advertising

Lenovo Solution Centre

Lenovo Solution Centre (LSC) is a software developed by Lenovo and shipped preinstalled on many Lenovo Windows system.

Lenovo Solution Centre(Quelle: Lenovo)

Lenovo Solution Center is, according to Lenovo, a software application developed by Lenovo for think products that enables users to 'get the most out of their computer'. With this new software, users can easily see the status of their system, network connections and system security, the manufacturer said.

According to Lenovo, the Solution Center (LSC) has been shipped with their Windows systems since 2011. However, Lenovo now states that the software has reached its end of life on November 30, 2018 and will no longer be shipped with new devices. The Lenovo Solution Center is crapware filled with vulnerability. 

New vulnerability – Lenovo says 'out of support'

Security researchers from the British company Pen Test Partners have found a serious vulnerability in the Lenovo Solution Center. The vulnerability, documented in CVE-2019-6177, allows attackers with normal user rights to gain administrator privileges. The security researchers reported in this article about the Privilege Escalation vulnerability.


Advertising

The vulnerability is that a highly privileged Lenovo process overwrites the Discretionary Access Control List (ACL), randomly changing the permissions of a file. This means that a low-privileged user can control it. Because the highly privileged process gives all users on the system full control over that file.

In an attack, a low-privileged user could write a "hardlink" file to the controllable location – a pseudo file that really points to any other file on the system over which the low-privileged user has no control. When the Lenovo process runs, it overwrites the permissions of the hardlinked file with appropriate permissions. This gives the low-privilege user full control over a file that they are not normally allowed to use. This can be used to execute arbitrary code on the system with administrator or SYSTEM privileges.

Lenovo has published a security advisory CVE-2019-6177 and has identified the vulnerability as critical. According to Lenovo, the vulnerability is in the Solution Center version 03.12.003, but this version was dropped from support. Lenovo states that users of the Lenovo Solution Center were recommended to migrate to Lenovo Vantage or Lenovo Diagnostics as early as April 2018.

Because support has expired, the manufacturer recommends that users uninstall the Lenovo Solution Center immediately using Windows Control Panel programs and features. According to security researchers, Lenovo said the software dropped out of support in April 2018. But the last version of LSC was released in late November 2018. The British site The Register has also taken up the case here and calls the whole thing as 'sweeping under the carpet'.

Similar articles:
Lenovo Solution Center vulnerable again
New Lenovo Solution Center V 3.3.003 fixes 2 security holes


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Software, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *