Обратите внимание: на этом веб-сайте есть система специальных возможностей. Нажмите Control-F11, чтобы настроить веб-сайт для слабовидящих, использующих программу чтения с экрана; Нажмите Control-F10, чтобы открыть меню специальных возможностей.

Lenovo UDC Vulnerability

Lenovo UDC Vulnerability

Lenovo UDC Vulnerability

Lenovo Security Advisory: LEN-121183

Potential Impact: Privilege Escalation

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2023-3078, CVE-2023-6338

 

Summary Description:

Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges.

Lenovo UDC is a service used to connect clients with Lenovo cloud services and is preloaded on some Lenovo devices. Lenovo UDC is also a component of the following products:

Mitigation Strategy for Customers (what you should do to protect yourself):

Note: Added CVE-2023-6338 due to an incomplete fix to CVE-2023-3078.

Customers should update the Universal Device Client to version 23.10 or higher

Lenovo UDC is updated automatically through Windows Update.

Lenovo UDC’s version can be validated using the following steps:
1. Start Device Manager from Control Panel
2. Expand System Devices
3. Locate and double click "Universal Device Client Device"
4. Click the driver tab to check the current version

 

UDC Driver

Acknowledgement:

Lenovo thanks Jérôme TCHAN from the Offensive Security Center of Deloitte France for reporting CVE-2023-3078

Lenovo thanks Moritz Rauch of advact AG for reporting CVE-2023-6338

 

References:

https://support.lenovo.com/us/en/solutions/ht512542-lenovo-extend-knowledge-base-and-guide

https://support.lenovo.com/us/en/solutions/ht511072-lenovo-device-intelligence

https://www.lenovo.com/us/en/software/lenovo-device-manager/

https://smartsupport.lenovo.com/us/en/downloads/ds542392

 

Revision History:

Revision Date Description
4 2024-04-24 Update mitigation section
3 2023-12-14 Update formatting only
2 2023-12-12 Added CVE-2023-6338
1 2023-07-11 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 


ID вымышленного имени:LEN-121183
ID документа:PS500567
Дата публикации оригинала:07/11/2023
Дата последнего изменения:04/24/2024