Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
lenovoLenovoLENOVO:PS500087-NOSID
HistoryMay 12, 2017 - 12:00 a.m.

Lenovo Service Bridge Contains Privilege Escalation and Other Vulnerabilities - us

2017-05-1200:00:00
support.lenovo.com
41

0.002 Low

EPSS

Percentile

56.1%

JSON

Lenovo Security Advisory: LEN-10149

Potential Impact: Local privilege escalation, cross-site request forgery, insecure connection, possibility to insert a forged code signing certificate

Severity: High

**Scope of Impact:**Lenovo-specific

**CVE Identifier:**CVE-2016-8228, CVE-2016-8229, CVE-2016-8230, CVE-2016-8231

Summary Description:

During an internal investigation, Lenovo identified multiple vulnerabilities in Lenovo Service Bridge (LSB), including the following:

  1. A user with local privileges on a system could execute code with administrative privileges (CVE-2016-8228)
  2. A cross-site request forgery vulnerability could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed (CVE-2016-8229)
  3. An insecure HTTP connection is used by LSB to send system serial number, machine type and model and product name to Lenovo’s servers (CVE-2016-8230)
  4. A bug found in the signature verification logic of the code signing certificate could be exploited by an attacker to insert a forged code signing certificate. (CVE-2016-8231)

Lenovo Service Bridge (LSB.exe) is a utility software program operating under Windows that is offered as a download on the Lenovo Support website and is used to automatically detect your computer’s serial number, machine type and model. It then passes this information to a Lenovo server replacing the need to search or browse for your product to obtain support.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo Service Bridge will automatically update on your system if it is installed. This issue is fixed in version 4 and above. Users can also manually update by going to http://pcsupport.lenovo.com and clicking on β€œDetect my Serial Number” to view the introduction, terms and condition and the download option for Lenovo Service Bridge.

When the update is ready, make sure to select β€œinstall” if your anti-virus program (such as Symantec) pops up a message that a new software update is available.

Related

lenovo 1
cvelist 4
nvd 4
cve 4
prion 4
lenovo
lenovo
Lenovo Service Bridge Contains Privilege Escalation and Other Vulnerabilities - Lenovo Support US
2017-05-12 00:00:00
cvelist
cvelist
CVE-2016-8228
2017-06-03 00:00:00
CVE-2016-8230
2017-06-03 00:00:00
CVE-2016-8229
2017-06-03 00:00:00
nvd
nvd
CVE-2016-8228
2017-06-04 21:29:00
CVE-2016-8230
2017-06-04 21:29:00
CVE-2016-8229
2017-06-04 21:29:00
cve
cve
CVE-2016-8228
2017-06-04 21:29:00
CVE-2016-8230
2017-06-04 21:29:00
CVE-2016-8229
2017-06-04 21:29:00
prion
prion
Code injection
2017-06-04 21:29:00
Design/Logic Flaw
2017-06-04 21:29:00
Cross site request forgery (csrf)
2017-06-04 21:29:00

0.002 Low

EPSS

Percentile

56.1%

JSON
Related for LENOVO:PS500087-NOSID
lenovo1cvelist4nvd4cve4prion4