Security researchers at Pen Test Partners have found a privilege escalation flaw (Lenovo High-Severity Bug) in the much-maligned Lenovo Solution Center software.
Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges.
The research comes from Pen Test Partners, who found the flaw (CVE-2019-6177) and said the vulnerability is tied to its much-maligned Lenovo Solution Center (LSC) software.
“The bug (Lenovo High-Severity Bug) itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” wrote researchers at Pen Test Partners in a technical description of the bug posted Thursday.
Researchers describe the bug as giving hackers with low-privilege access to a PC the ability to write a “hardlink” file to a controllable location. This “hardlink” file would be a low-privilege “pseudo-file” that could be used to point to a second privileged file.
“When the Lenovo process runs, it overwrites the privileges of the hard-linked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to,” researchers wrote. “This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or SYSTEM privileges.”
The software’s intended purpose is to monitor the overall health of the PC. It monitors the battery, firewall, and checks for driver updates. It comes pre-installed on the majority of Lenovo PCs, including desktop and laptop, for both businesses and consumers.
The problematic version is 03.12.003, which Lenovo said is no longer supported. According to Lenovo, the software was originally released in 2011. Lenovo said LSC been “officially” designated end of life since November 2018. However, a version is still available for download via the Lenovo website.
Lenovo’s LSC software has been a source of many headaches for Lenovo. In 2016, researchers found a similar escalation of privileges bug. In 2015, the hacking group Slipstream/RoL demonstrated a proof-of-concept attack that exploited a LSC bug allowed a malicious web page to execute code on Lenovo PCs with system privileges.
The LSC security flaw is the most recent in a long list of security fumbles that have plagued Lenovo over the past year. In February 2015, Lenovo was put in the security hot seat when researchers discovered a piece of software called Superfish that injected ads on websites and could be abused by hackers to read encrypted passwords and web-browsing data.
Last August, Lenovo again landed in hot water when it was criticized for automatically downloading Lenovo Service Engine software – labeled as unwanted bloatware by many. Worse, when users removed the software Lenovo systems were configured to download and reinstall the program without the PC owner’s consent.