Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

Lenovo Vantage Component Vulnerabilities

Lenovo Vantage Component Vulnerabilities

Lenovo Vantage Component Vulnerabilities

Lenovo Security Advisory: LEN-75210

Potential Impact: Privilege escalation

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2021-3922, CVE-2021-3969

 

Summary Description:

The following vulnerabilities were reported in the IMController component of Lenovo System Interface Foundation used by Lenovo Vantage and Commercial Vantage.

CVE-2021-3922: A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to connect and interact with the IMController child process' named pipe.

CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to elevate privileges.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

Update the IMController component of Lenovo System Interface Foundation to version 1.1.20.3.

The Lenovo IMController software component is automatically updated by the Lenovo System Interface Foundation Service. To immediately start the update process, reboot the computer or restart the "System Interface Foundation Service" service.

To verify the Lenovo IMController version:

  1. Open File Explorer and navigate to C:\Windows\Lenovo\ImController\PluginHost\
  2. Right click on Lenovo.Modern.ImController.PluginHost.exe and select Properties.
  3. Click on the Details tab.
  4. Read the File version.

Another option is to manually download and install the update. The latest version of Lenovo System Interface Foundation can be downloaded here: https://filedownload.lenovo.com/enm/sift/core/System-Interface-Foundation-Update-64.exe

 

Acknowledgement:

Lenovo thanks Rick Veldhoven from Fox-IT, part of NCC Group for reporting this issue.

 

Revision History:

Revision Date Description
3 2021-12-21 Added Commercial Vantage to Summary Description
2 2021-12-17 Updated Mitigation Strategy to include Lenovo System Interface Foundation manual update steps
1 2021-12-14 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.


Alias Id:LEN-75210
Document ID:PS500461
Original Publish Date:12/14/2021
Last Modified Date:12/21/2021