Lenovo UDC Vulnerability
Lenovo UDC Vulnerability
Lenovo UDC Vulnerability
Lenovo Security Advisory: LEN-121183
Potential Impact: Privilege Escalation
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2023-3078, CVE-2023-6338
Summary Description:
Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges.
Lenovo UDC is a service used to connect clients with Lenovo cloud services and is preloaded on some Lenovo devices. Lenovo UDC is also a component of the following products:
Mitigation Strategy for Customers (what you should do to protect yourself):
Note: Added CVE-2023-6338 due to an incomplete fix to CVE-2023-3078.
Customers should update the Universal Device Client to version 23.10 or higher
Lenovo UDC is updated automatically through Windows Update.
Lenovo UDC’s version can be validated using the following steps:
1. Start Device Manager from Control Panel
2. Expand System Devices
3. Locate and double click "Universal Device Client Device"
4. Click the driver tab to check the current version
Acknowledgement:
Lenovo thanks Jérôme TCHAN from the Offensive Security Center of Deloitte France for reporting CVE-2023-3078
Lenovo thanks Moritz Rauch of advact AG for reporting CVE-2023-6338
References:
https://support.lenovo.com/us/en/solutions/ht512542-lenovo-extend-knowledge-base-and-guide
https://support.lenovo.com/us/en/solutions/ht511072-lenovo-device-intelligence
https://www.lenovo.com/us/en/software/lenovo-device-manager/
https://smartsupport.lenovo.com/us/en/downloads/ds542392
Revision History:
Revision | Date | Description |
---|---|---|
4 | 2024-04-24 | Update mitigation section |
3 | 2023-12-14 | Update formatting only |
2 | 2023-12-12 | Added CVE-2023-6338 |
1 | 2023-07-11 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Ваши отзывы помогают улучшить общий опыт