Lenovo, which is the world’s largest PC seller, is seeking to address security vulnerabilities that the federally funded CERT Coordination Center says “can allow an attacker to attack” through “multiple vulnerabilities.” Toshiba and Dell also have been hit.
And CERT notes there is no easy solution to the Lenovo problem.
“The CERT/CC is currently unaware of a practical solution to this problem,” it said, recommending instead a “workaround.”
Impact, as noted by CERT:
“By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.”
Lenovo says it is working on the problem.
“Lenovo was recently alerted by a cyber-security threat intelligence partner and The CERT/CC to a vulnerability report concerning its Lenovo Solution Center (LSC) application. We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible,” Lenovo said in a statement when the vulnerability was disclosed.
The CERT Coordination Center (CERT/CC) is the computer emergency response team (CERT) for the Software Engineering Institute (SEI), which is funded by the federal government.
PCWorld notes that Toshiba and Dell also have been hit by problems.
The CERT warning
Here’s the CERT warning on Lenovo:
“The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.”
CWE-732: Incorrect Permission Assignment for Critical Resource
Launching the Lenovo Solution Center creates a process called LSCTaskService, which runs with SYSTEM privileges. This process runs an HTTP daemon on port 55555, which allows HTTP GET and POST requests to execute methods in the LSCController.dll module. This component includes a number of unsafe methods, including RunInstaller, which is designed to execute arbitrary code from the %APPDATA%\LSC\Local Store directory. This directory is created for each user that logs in to an affected system. The user can write to this directory, regardless of whether the account has administrative privileges on the system. This vulnerability can allow a standard local user to execute arbitrary code with SYSTEM privileges.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Due to a directory traversal vulnerability, Lenovo Solution Center allows an attacker to execute code that resides in an arbitrary location on the drive where user profile directories exist. If an attacker can place arbitrary code in a predictable location on a vulnerable system, this can allow for arbitrary code execution with SYSTEM privileges.
CWE-353: Cross-Site Request Forgery (CSRF)
The LSCTaskService component of Lenovo Solution Center contains a CSRF vulnerability. This vulnerability allows web content hosted by any domain to successfully execute requests using the vulnerable service. The CSRF vulnerability in Lenovo Solution Center allows a malicious or compromised web site to be able to cause code execution with SYSTEM privileges on an affected Lenovo system.
Note that all of these vulnerabilities appear to require that the user has launched the Lenovo Solution Center at least once. Simply closing the Lenovo Solution Center does appear to stop the vulnerable LSCTaskService process.
Lenovo has provided the following statement:
“Lenovo was recently alerted by a cyber-security threat intelligence partner and The CERT/CC to a vulnerability report concerning its Lenovo Solution Center (LSC) application. We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this Lenovo security advisory page (https://support.lenovo.com/us/en/product_security/len_4326) as they become available.”
By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.
The CERT/CC is currently unaware of a practical solution to this problem. However, please consider the following workaround:
- Uninstall or close Lenovo Solution Center
- Uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities. Closing any running instance of Lenovo Solution Center also prevents exploitation.
Read more at:
The full Lenovo statement:
More on the problems at Lenovo, Toshiba and Dell:
Lenovo operates its global executive headquarters in Morrisville.