Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

Lenovo System Update Privilege Escalation Vulnerability

Lenovo System Update Privilege Escalation Vulnerability

Lenovo System Update Privilege Escalation Vulnerability

Lenovo Security Advisory: LEN-76673

Potential Impact: Privilege escalation

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2022-0354

 

Summary Description:

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window.

Lenovo System Update is also used in Lenovo Vantage, Commercial Vantage, and Thin Installer.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

System Update packages with a Release Date after 2022-02-25 are not affected.

image

For packages released prior to 2022-02-25, Lenovo recommends following safe computing practices to prevent unauthorized system access.

 

Acknowledgement:

Lenovo thanks Daniel Feichter (@VirtualAllocEx) at Infosec Tirol for reporting this issue.

 

Revision History:

Revision Date Description
1 2022-04-12 Initial release

Alias Id:LEN-76673
Document ID:PS500483
Original Publish Date:04/12/2022
Last Modified Date:04/13/2022