There is a serious privilege escalation vulnerability in software that is included with every Lenovo laptop. Fortunately, the company has now released a patch.
According to the company, the Lenovo Solution Center (LSC) is a software application created by Lenovo that allows users to perform diagnostic functions and quickly identify the status of PC system hardware and software health, network connections and the presence of security features such as firewalls or antivirus programs. However researcher Martin Rakhmanov of Trustwave’s SpiderLabs found that v 2.8 of LSC allowed anyone to open the Device Manager running as LocalSystem and run arbitrary code in various ways.
The vulnerability, known officially as CVE-2016-1876, was patched in last April by Lenovo.
“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 it updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” a Lenovo spokesperson told Threatpost
“This is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack,” Karl Sigler, a SpiderLabs researcher at Trustwave, said in an email interview with Threatpost. He said the attack can’t be exploited remotely. “For a malicious insider or for an attacker that already has a foothold in the network, this vulnerability could be used to make that foothold a full gateway to your network,” he said.