Lenovo had released a new version of its System Update software to fix some privilege escalation vulnerabilities discovered by an IO Active researcher, Sofiane Talmat.
Lenovo System Update is software which is designed to help users obtain driver, BIOS and application updates for Lenovo and Think systems. Previously it was also known as Think Vantage System Update. The system update validates all system update files when they are downloaded from Lenovo servers.
However, in cases of a malware being present, the downloaded updates can be altered before
installation. The latest version released eliminates this possibility. The System uses SUService.exe to run updates.
The service only accepts command when a valid security token is passed along with the command. This process is part of the authentication and validation process. Though utmost precaution was taken during system updates a big vulnerability was discovered on how the security token was generated allowing an attacker to run commands. The latest Lenovo
System Update released fixed the token authentication flaws.
Talmat also discovered a local underprivileged attacker could execute commands like a privilege
user of Windows system. In the system update, an application, GUI is executed with temporary administrator account which includes link to various Lenovo website’s pages. As the link is clicked, the web pages open in a browser launched by temporary admin account which allows an attacker to leverage this browser session.
The vulnerabilities were reported to Lenovo on November 2 and they were patched on November 19 with the release of System Update 5.07.0019. Apart from this, the PC Company has released many new versions of its system update software to address issues, including that of researchers from Trustwave, IOActive and Tencent’s Xuanwu Lab.
(Perfect Training Center)