Lenovo System Update Privilege Escalation Vulnerability
Lenovo System Update Privilege Escalation Vulnerability
Lenovo System Update Privilege Escalation Vulnerability
Lenovo Security Advisory: LEN-76673
Potential Impact: Privilege escalation
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2022-0354
Summary Description:
A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window.
Lenovo System Update is also used in Lenovo Vantage, Commercial Vantage, and Thin Installer.
Mitigation Strategy for Customers (what you should do to protect yourself):
System Update packages with a Release Date after 2022-02-25 are not affected.
For packages released prior to 2022-02-25, Lenovo recommends following safe computing practices to prevent unauthorized system access.
Acknowledgement:
Lenovo thanks Daniel Feichter (@VirtualAllocEx) at Infosec Tirol for reporting this issue.
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2022-04-12 | Initial release |
Your feedback helps to improve the overall experience