Privilege Escalation Vulnerability in Lenovo CCSDK - us

2017-03-31T00:00:00
ID LENOVO:PS500091-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-03-31T00:00:00

Description

Lenovo Security Advisory: LEN-11340

Potential Impact: Privilege Escalation

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2016-8235

Summary Description:

An unquoted service path vulnerability was identified in the Lenovo Customer Care Software Development Kit (CCSDK) that could allow a user with local privileges on a system to execute code with administrative privileges.

The Customer Care Software Development Kit (CCSDK) on Lenovo Desktop and Lenovo Notebook systems provides anonymous, non-personally identifiable diagnostic device data to Lenovo to help Lenovo improve both existing and future products.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update CCSDK to version 2.0.16.3 or later by opening Lenovo System Update, clicking on “Get new updates” and following the prompts to update to the latest version of CCSDK. Users can also manually update by following the instructions at the link here.

Steps to verify that you are running the latest version of CCSDK:

  1. For Windows 8, 8.1 and Windows 10, right-click the screen's bottom-left corner Windows icon. Type Control Panel, and then, under Programs or Programs and Features, click “Uninstall a Program.”

In Windows 7, open Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.

  1. When you find the program “CCSDK”, click it, and then view the version number