Not only has a vulnerability been found in Lenovo Solution Centre (LSC), but the laptop maker fiddled with end-of-life dates to make it seem less important – and is now telling the world it EOL'd the vulnerable monitoring software before its final version was released.
The LSC privilege-escalation vuln (CVE-2019-6177) was found by Pen Test Partners (PTP), which said it has existed in the code since it first began shipping in 2011. It was bundled with the vast majority of the Chinese manufacturer's laptops and other devices, and requires Windows to run. If you removed the app, or blew it away with a Linux install, say, you're safe right now.
"The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control," PTP explained. "In this scenario, a low-privileged user can write a 'hardlink' file to the controllable location – a pseudofile which really points to any other file on the system that the low-privileged user doesn't have control of."
LSC runs a high-privileged scheduled task ten minutes (600 seconds) after a user logs onto the machine. The binary executed by the scheduled task overwrites the DACL of the Lenovo product's logs folder, PTP said, giving everyone in the Authenticated Users usergroup full read/write access to them. As all accounts are members of Authenticated Users, this means anyone can mess around with the logs.
Remember when Lenovo sold PCs with Superfish adware? It just got a mild scolding from FTCREAD MORE
By dropping a hardlink file into the logs folder pointing elsewhere on the target system, the LSC scheduled task can be used to escalate privileges for any file or executable. From there it's a short stretch to running arbitrary code with administrator-level privileges, and pwning the whole system in ten minutes. To be clear, to exploit this, you must already have access to the machine, either as a rogue logged-in user or with malware on the thing.
The solution? Uninstall Lenovo Solution Centre, and if you're really keen you can install Lenovo Vantage and/or Lenovo Diagnostics to retain the same branded functionality, albeit without the priv-esc part.
All straightforward. However, it went a bit awry when PTP reported the vuln to Lenovo. "We noticed they had changed the end-of-life date to make it look like it went end of life even before the last version was released," they told us.
Screenshots of the end-of-life dates – initially 30 November 2018, and then suddenly April 2018 after the bug was disclosed – can be seen on the PTP blog. The last official release of the software is dated October 2018, so Lenovo appears to have moved the EOL date back to April of that year for some reason.
"Sweeping a bug under the carpet?" mused PTP's Ken Munro to El Reg.
We have asked Lenovo why they changed the EOL date on the Lenovo Solution Centre page to make it look like they were releasing updates for a product they had already EOL'd.
"It’s often the case for applications that reach end of support that we continue to update the applications as we transition to new offerings is to ensure customers that have not transitioned, or choose not to, still have a minimal level of support, a practice that is not uncommon in the industry," was the response. ®