LEN-7814 Lenovo Solution Center Arbitrary Process Termination or Code Execution by Unprivileged Local Users

LEN-7814 Lenovo Solution Center Arbitrary Process Termination or Code Execution by Unprivileged Local Users

LEN-7814 Lenovo Solution Center Arbitrary Process Termination or Code Execution by Unprivileged Local Users

Lenovo Security Advisory: LEN-7814

Potential Impact: Arbitrary process termination or code execution by unprivileged local users 
Severity: High
Scope of Impact: Lenovo specific

Summary Description:
Local privilege escalation vulnerabilities were identified in Lenovo Solution Center where unprivileged local users could terminate processes running at higher privilege levels (CVE-2016-5248) or execute arbitrary code (CVE-2016-5249) with LocalSystem account privileges.

The Lenovo Solution Center (LSC) is a software application created by Lenovo that allows users to perform diagnostic functions and quickly identify the status of PC system hardware and software health, network connections and the presence of security features such as firewalls or antivirus programs.

Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo has released an updated version of Lenovo Solution Center that addresses these vulnerabilities. Lenovo is providing this update through several channels to ensure that as many users as possible get the update as described below: 

1) Updating via Lenovo Solution Center:
Users should open Lenovo Solution Center and they will be presented with a prompt to automatically update LSC to the latest version. Depending on the version of Lenovo Solution Center installed, select either “Yes” or “Update Now” when presented with the prompt. 

2) Updating via the Lenovo System Update utility
Open Lenovo System Update and click Next to Get new updates. Follow the prompts to update your system with the latest version of Lenovo Solution Center. 

3) Updating via direct download
Click on the download link from the following website. Follow the instructions in the readme file to install the update manually:https://support.lenovo.com/lenovodiagnosticsolutions/downloads

4) Updating via the One Key Optimizer utility
Open Lenovo OneKey Optimizer.  Click on "Update" and follow the prompts to update your system with the latest version of Lenovo Solution Center.

 

Product Impact:
Versions earlier than 3.3.003 of Lenovo Solution Center may be impacted by these vulnerabilities.

Acknowledgements:
Lenovo thanks Martin Rakhmanov of Trustwave's SpiderLab for reporting these vulnerabilities.

Other information and references:
CVE-2016-5248; CVE-2016-5249

Revision History:

Revision

Date

Description

 1.1  2016-07-11 Added update method via One Key Optimizer utility
 1.0  2016-06-23  Initial release

Alias Id:LEN_7814
Document ID:PS500055
Original Publish Date:06/26/2016
Last Modified Date:01/19/2017