[German]Lenovo notebooks and devices that use the ImController service are vulnerable to a privilege escation vulnerability. This can allow attackers to execute commands with administrator privileges on the devices. However, there is an update to address both vulnerabilities.
Advertising
I already came across the information from colleagues here the other days, so I'm posting it as a security topic. Security researchers at NCC Group have released this advisory on Dec. 15, 2021, regarding the vulnerabilities in Lenovo notebooks and Yoga devices.
The ImController service
Lenovo ships a special ImController service pre-installed on its notebook and Yoga devices. The ImController service is installed on specific Lenovo devices (e.g., ThinkPad) and runs as a SYSTEM user. The service periodically runs subordinate processes for system configuration and maintenance tasks.
Critical vulnerabilities in the service
The service starts highly privileged child processes, resulting in two vulnerabilities CVE-2021-3922 and CVE-2021-3969. These affect the ImControllerService component of all Lenovo System Interface Foundation versions below 1.1.20.3. On Windows, the service appears as "System Interface Foundation Service". As a component of the Lenovo System Interface Foundation, it helps Lenovo devices communicate with universal apps such as Lenovo Companion, Lenovo Settings and Lenovo ID. According to this Lenovo support document, the following vulnerabilities exist. ID.
- CVE-2021-3922: A race condition vulnerability in MController that could allow a local attacker to connect to and interact with the named pipe of the IMController subprocess.
- CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability in MController that could allow a local attacker to escalate privileges.
Both vulnerabilities can only be exploited locally, but could cause some damage in a chain of vulnerabilities. Lenovo has since provided an update in the form of Lenovo System Interface Foundation version 1.1.20.3 (see support document ), which fixes the vulnerabilities. According to this Lenovo forum post, the component should update itself automatically.
Advertising