Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges.
Research come from Pen Test Partners, who found the flaw (
CVE-2019-6177) and said the vulnerability is tied to its much-maligned Lenovo Solution Center (LSC) software.
“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” wrote researchers at Pen Test Partners in a technical
description of the bug posted Thursday.
Lenovo issued a security bulletin regarding this bug and recommended users upgrade to a similar utility called Lenovo Vantage.
threatpost.com
