Lenovo Vantage Component Vulnerabilities
Lenovo Vantage Component Vulnerabilities
Lenovo Vantage Component Vulnerabilities
Lenovo Security Advisory: LEN-75210
Potential Impact: Privilege escalation
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2021-3922, CVE-2021-3969
Summary Description:
The following vulnerabilities were reported in the IMController component of Lenovo System Interface Foundation used by Lenovo Vantage and Commercial Vantage.
CVE-2021-3922: A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to connect and interact with the IMController child process' named pipe.
CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to elevate privileges.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update the IMController component of Lenovo System Interface Foundation to version 1.1.20.3.
The Lenovo IMController software component is automatically updated by the Lenovo System Interface Foundation Service. To immediately start the update process, reboot the computer or restart the "System Interface Foundation Service" service.
To verify the Lenovo IMController version:
- Open File Explorer and navigate to C:\Windows\Lenovo\ImController\PluginHost\
- Right click on Lenovo.Modern.ImController.PluginHost.exe and select Properties.
- Click on the Details tab.
- Read the File version.
Another option is to manually download and install the update. The latest version of Lenovo System Interface Foundation can be downloaded here: https://filedownload.lenovo.com/enm/sift/core/System-Interface-Foundation-Update-64.exe
Acknowledgement:
Lenovo thanks Rick Veldhoven from Fox-IT, part of NCC Group for reporting this issue.
Revision History:
Revision | Date | Description |
---|---|---|
3 | 2021-12-21 | Added Commercial Vantage to Summary Description |
2 | 2021-12-17 | Updated Mitigation Strategy to include Lenovo System Interface Foundation manual update steps |
1 | 2021-12-14 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience