Lenovo Security Advisory: LEN-30401
Potential Impact: Escalation of Privilege, Improper Verification of Cryptographic Signature,
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2020-8316, CVE-2020-8318, CVE-2020-8319, CVE-2020-8324, CVE-2020-8327
Summary Description:
The following vulnerabilities found in Lenovo Vantage or the Lenovo Vantage component called Lenovo System Interface Foundation were reported to Lenovo.
CVE-2020-8316: A vulnerability was reported in Lenovo Vantage that could allow an authenticated user to read files on the system with elevated privileges.
CVE-2020-8318: A privilege escalation vulnerability was reported in the LenovoSystemUpdatePlugin for Lenovo System Interface Foundation that could allow an authenticated user to execute code with elevated privileges.
CVE-2020-8319: A privilege escalation vulnerability was reported in Lenovo System Interface Foundation that could allow an authenticated user to execute code with elevated privileges.
CVE-2020-8324: A vulnerability was reported in LenovoAppScenarioPluginSystem for Lenovo System Interface Foundation that could allow unsigned DLL files to be executed.
CVE-2020-8327: A privilege escalation vulnerability was reported in LenovoBatteryGaugePackage for Lenovo System Interface Foundation that could allow an authenticated user to execute code with elevated privileges.
Mitigation Strategy for Customers (what you should do to protect yourself):
To update Vantage and its Lenovo System Interface Foundation component, follow these steps:
Update Lenovo Vantage to version 10.2003.10.0 from the Microsoft Store.
Re-launch Lenovo Vantage to complete the update.
Acknowledgement:
CVE-2020-8318, CVE-2020-8319, CVE-2020-8324: Lenovo thanks Ceri Coburn at Pen Test Partners for reporting these issues.
CVE-2020-8316: Lenovo thanks T Shiomitsu for reporting this issue.
CVE-2020-8327: Lenovo thanks Jonas LykkegΓ₯rd for reporting this issue.
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2020-04-14 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an βas isβ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.