Lenovo Security Advisory: LEN-7814
Potential Impact: *Arbitrary process termination or code execution by unprivileged local users
*Scope of Impact: Lenovo specific
Local privilege escalation vulnerabilities were identified in Lenovo Solution Center where unprivileged local users could terminate processes running at higher privilege levels (CVE-2016-5248) or execute arbitrary code (CVE-2016-5249) with LocalSystem account privileges.
The Lenovo Solution Center (LSC) is a software application created by Lenovo that allows users to perform diagnostic functions and quickly identify the status of PC system hardware and software health, network connections and the presence of security features such as firewalls or antivirus programs.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo has released an updated version of Lenovo Solution Center that addresses these vulnerabilities. Lenovo is providing this update through several channels to ensure that as many users as possible get the update as described below:
1) Updating via Lenovo Solution Center:
Users should open Lenovo Solution Center and they will be presented with a prompt to automatically update LSC to the latest version. Depending on the version of Lenovo Solution Center installed, select either “Yes” or “Update Now” when presented with the prompt.
2) Updating via the Lenovo System Update utility
Open Lenovo System Update and click Next to Get new updates. Follow the prompts to update your system with the latest version of Lenovo Solution Center.
3) Updating via direct download
Click on the download link from the following website. Follow the instructions in the readme file to install the update manually:<https://support.lenovo.com/lenovodiagnosticsolutions/downloads>
4) Updating via the One Key Optimizer utility
Open Lenovo OneKey Optimizer. Click on "Update" and follow the prompts to update your system with the latest version of Lenovo Solution Center.
Versions earlier than 3.3.003 of Lenovo Solution Center may be impacted by these vulnerabilities.
Lenovo thanks Martin Rakhmanov of Trustwave's SpiderLab for reporting these vulnerabilities.
Other information and references:
1.1 | 2016-07-11 | Added update method via One Key Optimizer utility
1.0 | 2016-06-23 | Initial release