Bugs in Lenovo laptops allow getting administrator privileges

by Emma Davis
December 18, 2021
Bugs in Lenovo laptops
Written by Emma Davis

The experts found bugs in Lenovo laptops in the ThinkPad and Yoga series models that were vulnerable to privilege escalation issues in the ImControllerService. The problems allow attackers to execute commands with administrator privileges.

The vulnerabilities have identifiers CVE-2021-3922 and CVE-2021-3969 and affect the ImControllerService component in all Lenovo System Interface Foundation versions below 1.1.20.3. On Windows, this service appears as a System Interface Foundation Service.

System Interface Foundation Service Properties

The problems were discovered by experts from the NCC Group, who notified Lenovo of their findings back in late October. The manufacturer released patches on November 17, 2021, and the corresponding user recommendations were made public on December 14, 2021.

Let me also remind you that recently Microsoft explained why Windows 10 crashes on Lenovo laptops.

As noted above, the problematic service is a component of the Lenovo System Interface Foundation and helps Lenovo devices interact with universal applications such as Lenovo Companion, Lenovo Settings, and Lenovo ID. The service is preinstalled on many of the company’s models, including Yoga and ThinkPad devices.

The Lenovo System Interface Foundation Service provides interfaces for key functions, including system power management, system optimization, driver and application updates, and system settings for Lenovo applications, including Lenovo Companion, Lenovo Settings, and Lenovo ID. If you disable this service, Lenovo applications will not work properly.the official description says.

Since ImController must retrieve and install files from Lenovo servers, perform child processes and system setup and maintenance tasks, it runs with SYSTEM privileges. The root of the problem is that the service does not provide secure communication between privileged child processes and cannot validate the origin of serialized XML commands. Basically, this means that any other process, even malicious ones, can connect to the child process to execute its own commands.

The first vulnerability is a race condition between the attacker and the parent process connecting to the named pipe of the child process. An attacker using file system synchronization routines can be guaranteed to win the race to connect to a named pipe from the parent process.NCC Group experts explain.

The second bug is a time-of-check vulnerability to time-of-use (TOCTOU), which allows an attacker to stop the loading process of a verified ImControllerService plugin and replace it with a DLL of their choice, which leads to privilege escalation.

All users of Lenovo notebooks and desktop solutions with ImController version 1.1.20.2 or lower are recommended to update to the most current version (1.1.20.3) as soon as possible.

Note that we also wrote that Encrypting malware attacks on NAS Synology and Lenovo Iomega and that Hackers attack Lenovo NAS, destroy data and demand ransom.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending