LEN-2015-011: Lenovo System Update Privilege Escalation - Lenovo Support US

Lenovo Security Advisory: LEN-2015-011 **Potential Impact:**Execution of arbitrary code Severity: Medium

Summary:

Several vulnerabilities have been identified within Lenovo System Update (previously known as ThinkVantage System Update). Lenovo has released a new version of the Lenovo System Update software that addresses these vulnerabilities.

Description:
Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation creating a race condition. The latest Lenovo System Update release eliminates this possibility.

Lenovo System Update uses a service called SUService.exe to run system updates. As part of the authentication and validation process the service only accepts commands if a valid security token is passed along with the command. Vulnerabilities were discovered on how the security tokens were generated allowing an attacker to run commands. The latest Lenovo System Update release fixes the token authentication flaws.

Other security issues were also addressed in this update.

Update 7/9/15: New security fixes were added in version 5.06.0043
Update 10/14/15: Additional security fixes were added in version 5.07.0013

Update 11/19/15: Additional security fixes were added in version 5.07.0019 - This update fixes a local privilege escalation vulnerability that could allow an un-privileged user to gain Administrator or SYSTEM level privileges and also fixes a temporary administrator account vulnerability that could lead to local privilege escalation.

Mitigation Strategy for Customers (what you should do to protect yourself):
Users should install the latest version of the Lenovo System Update application, version 5.06.0043 or later. The currently installed version can be determined by opening the Lenovo System Update program. Once open, click on the green question mark in the top right corner and then selecting “About.”

Information about automatic update and enabling automatic update if it has been disabled:
Lenovo System Update will automatically update itself if the default check for critical updates is enabled to automatically download and install updates. In some cases, users may have opted to disable this automatic update.

If the application has been disabled by the user or if the user is unsure if it was disabled, the user should launch Lenovo System Update and click on “Get New Updates.” Then, when prompted that a new version of System Update is available, the user should click “OK”. The program will then automatically download the updated version which eliminates the vulnerability.

Information on manual update:
To manually update Lenovo System Update, download the latest version from the following URL

**NOTE:**Versions of Lenovo System Update that shipped on Windows XP or Vista OS are no longer supported. To eliminate this vulnerability in those OSs it is recommended that the Lenovo System Update application be completely uninstalled. This can be done by clicking on “Add/Remove Programs” in the Control Panel, selecting Lenovo System Update and clicking “uninstall.”

Product Impact:
The following products may be impacted:

• All ThinkPad
• All ThinkCentre
• All ThinkStation
• Lenovo V/B/K/E Series

Acknowledgements:
Lenovo would like to thank
Michael Milvich and Sofiane Talmat of IOActive (CVE-­2015-­2219, CVE-­2015-­2233, CVE-­2015-­2234)
Martin Rakhmanov of Trustwave (CVE-2015-6971)
Chuanda Ding of Tencent’s Xuanwu Lab (<http://xlab.tencent.com>) (CVE-2015-7333, CVE-2015-7334, CVE-2015-7335, CVE-2015-7336)

Sofiane Talmat of IOActive (CVE-2015-8109, CVE-2015-8110)

Other information and references:

• CVE ID: CVE-­2015-­2219, CVE-­2015-­2233, CVE-­2015-­2234, CVE-2015-6971, CVE-2015-7333, CVE-2015-7334, CVE-2015-7335, CVE-2015-7336, CVE-2015-8109, CVE-2015-8110
• <http://www.ioactive.com/labs/advisories.html&gt;

Revision History:

Revision

|

Date

|

Description

—|—|—
1.4 |** 19 Nov 2015**|New version of System Update 5.07.0019 released that includes additional security fixes ** 1.3**|** 14 Oct 2015**|New version of System Update 5.07.0013 released that includes additional security fixes ** 1.2**|** 9 Jul 2015**|New version of System Update 5.06.0043 released that includes additional security fixes ** 1.1**|** 11 May 2015**|Additional update information provided ** ** 1.0|** 14 Apr 2015**|** Initial release**