Security News Lenovo Bloatware Patched to Fix System Takeover Bug

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Lenovo has hid a crucial security update in an old security advisory from last year. The advisory details fixes for a vulnerability that, if exploited, could allow a malicious actor to take over the user's computer via the company's pre-installed junkware called the Lenovo Solution Center.

Lenovo users should now go to Lenovo's website and download the Lenovo Solution Center version 3.3.002 in order to patch their systems against the vulnerability identified as CVE-2016-1876.

Newest issue allows total device takeover
An unnamed security researcher from Trustwave discovered the issue, which is a local privilege escalation that allows an attacker to get elevated system access, which in turn allows him to execute code without restrictions on the machine. Depending on the attacker's skill level, he can very easily take over a user's device.

The Lenovo Solution Center is a software application that comes pre-installed on all Lenovo laptops and computers. The company designed it to help users manage their drivers, install necessary updates, or debug their computers.

Despite their best intentions, the software is rarely used, and very few users know of its presence. In industry circles, such built-in & rarely used software is often referred to as junkware or bloatware.

Lenovo has a history of security issues
This is not the first time security experts have found issues in Lenovo's backyard. In February 2015, researchers found that Lenovo was dispatching a root certificate with its laptops. This incident became infamous in infosec circles as Superfish.

Later in December, security researchers from LizardHQ discovered three different issues in the bloatware of Dell, Toshiba, and Lenovo devices.

In that incident, Lenovo's Solution Center featured another privilege escalation issue, which the company fixed with version 2.0. It is in the advisory of this issue where Lenovo added the second problem reported by the Trustwave researcher.

UPDATE: Lenovo has provided the following statement regarding the most recent security issue:

In December 2015, Lenovo posted a security advisory that acknowledged vulnerabilities in its Lenovo Solution Center (LSC) software that could be used to compromise a system through a remote privilege escalation attack. Lenovo then urgently posted fixes that addressed these vulnerabilities. Subsequently, Trustwave, an independent researcher, reported to Lenovo a separate security vulnerability in Lenovo Solution Center that could lead to an unauthorized local privilege escalation. In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 again updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it. We recommend users update their systems to the latest Lenovo System Update version 3.3.002 that addresses all of the known security vulnerabilities.
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
Just as the dust has settled on the Superfish controversy, another piece of software installed on Lenovo PCs is causing problems. This time it's due to a major malware exploit.

The problem is with Lenovo Solution Center (LSC) software, which the company describes as "a central hub for monitoring system health and security." LSC is supposed to monitor your system's virus and firewall status, update your software, perform backups, check battery health, and get registration and warranty information.

Unfortunately, it also has a vulnerability that allows a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context, according to researchers at Trustwave SpiderLabs.

The SpiderLabs researcher who found the exploit said it is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack, so it could not be exploited remotely like most vulnerabilities.

can be downloaded by visiting the software's page on the Lenovo home site. It's only because a fix is available that SpiderLabs disclosed the vulnerability.

This is not the first time there has been a problem with LSC. In December 2015, a hacking group called Slipstream/RoL demonstrated a proof-of-concept exploit that allowed a malicious web page to execute code on Lenovo PCs with system privileges. They did it without warning Lenovo in advance, which was not very cool.
 

generalwu

Level 5
Verified
Well-known
Jan 25, 2016
219
Just saw this not too long ago.

As my company is all using Lenovo's product, this's certainly is a disturbing new.

I have inform all of my colleagues about the risk and have them upgraded the version as advised by Lenovo. ;)
 
  • Like
Reactions: omidomi

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
Just saw this not too long ago.

As my company is all using Lenovo's product, this's certainly is a disturbing new.

I have inform all of my colleagues about the risk and have them upgraded the version as advised by Lenovo. ;)
I hear that Lenovo is one the of best company in the world with best quality... :)
 
A

Alkajak

Security Alert! - Lenovo Bloatware Patched to Fix System Takeover Bug

Already patched.

Ex.JPG
 

Entreri

Level 7
Verified
May 25, 2015
342
Too much bloatware. Everyone put's it on, besides a very few like Apple. Another reason to get rid of all of it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top