The experts found bugs in Lenovo laptops in the ThinkPad and Yoga series models that were vulnerable to privilege escalation issues in the ImControllerService. The problems allow attackers to execute commands with administrator privileges.
The vulnerabilities have identifiers CVE-2021-3922 and CVE-2021-3969 and affect the ImControllerService component in all Lenovo System Interface Foundation versions below 1.1.20.3. On Windows, this service appears as a System Interface Foundation Service.The problems were discovered by experts from the NCC Group, who notified Lenovo of their findings back in late October. The manufacturer released patches on November 17, 2021, and the corresponding user recommendations were made public on December 14, 2021.
Let me also remind you that recently Microsoft explained why Windows 10 crashes on Lenovo laptops.
As noted above, the problematic service is a component of the Lenovo System Interface Foundation and helps Lenovo devices interact with universal applications such as Lenovo Companion, Lenovo Settings, and Lenovo ID. The service is preinstalled on many of the company’s models, including Yoga and ThinkPad devices.
Since ImController must retrieve and install files from Lenovo servers, perform child processes and system setup and maintenance tasks, it runs with SYSTEM privileges. The root of the problem is that the service does not provide secure communication between privileged child processes and cannot validate the origin of serialized XML commands. Basically, this means that any other process, even malicious ones, can connect to the child process to execute its own commands.
The second bug is a time-of-check vulnerability to time-of-use (TOCTOU), which allows an attacker to stop the loading process of a verified ImControllerService plugin and replace it with a DLL of their choice, which leads to privilege escalation.
All users of Lenovo notebooks and desktop solutions with ImController version 1.1.20.2 or lower are recommended to update to the most current version (1.1.20.3) as soon as possible.
Note that we also wrote that Encrypting malware attacks on NAS Synology and Lenovo Iomega and that Hackers attack Lenovo NAS, destroy data and demand ransom.