LDCC and LADM Privilege Escalation Vulnerabilities

LDCC and LADM Privilege Escalation Vulnerabilities

LDCC and LADM Privilege Escalation Vulnerabilities

Lenovo Security Advisory: LEN-155486

Potential Impact: Privilege Escalation

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2024-2175, CVE-2024-4763

 

Summary Description:

The following vulnerabilities were reported in Lenovo Display Control Center (LDCC) and Lenovo Accessories and Display Manager (LADM):

CVE-2024-2175: An insecure permissions vulnerability was reported that could allow a local attacker to escalate privileges. 

CVE-2024-4763: An insecure driver vulnerability was reported that could allow a local attacker to escalate privileges to kernel.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

Update Lenovo Display Control Center to version 3.0.29082.0 or later.

Update Lenovo Accessories and Display Manager to version 1.0.3.05 or later.

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Acknowledgement:

Lenovo thanks Alaa Kachouh and Fabrizio Noviello of Deloitte Belgium and Alain Rödel of Neodyme AG for independently reporting CVE-2024-2175.

Lenovo thanks Alain Rödel of Neodyme AG for reporting CVE-2024-4763.

 

Revision History:

 

Revision Date Description
3 2024-08-15 Removed Product Impact.  Please see Mitigation Strategy for product update details.
2 2024-08-14 Fix typo in CVE-2024-4763
1 2024-08-13 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.


Alias Id:LEN-155486
Document ID:PS500636
Original Publish Date:08/13/2024
Last Modified Date:08/15/2024