Unquoted Service Path Privilege Escalation in ThinkPad Active Protection System - us

2017-08-10T00:00:00
ID LENOVO:PS500126-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-08-10T00:00:00

Description

Lenovo Security Advisory: LEN-15765

Potential Impact: Privilege Escalation

Severity: High

Scope of Impact: Lenovo Specific

CVE Identifier: CVE-2017-3756

Summary Description:

A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems. An attacker with local privileges could execute code with administrative privileges via an unquoted service path.

Active Protection System is used to protect data on a hard drive when the sensor inside your PC detects sudden movement that could potentially damage the hard drive's moving parts. It temporarily stops the drive from spinning, and restarts operation once the shock sensors detect a stable environment. It is also used to control thermal performance in hard drives and solid state drives.

Mitigation Strategy for Customers (what you should do to protect yourself):

Run Lenovo System Update to automatically update Active Protection System to version 1.82.0.17 or later, or manually update by clicking here and following the instructions in the readme file.