**Lenovo Security Advisory:** LEN-2015-020 **Potential Impact:** Privilege Escalation ****Severity****: High **Summary: ** Vulnerabilities have been identified in the Lenovo Service Engine (LSE) which may run on certain Lenovo notebook systems that do not have a Lenovo preloaded operating system installed. Lenovo has released a BIOS update to disable Lenovo Service Engine and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10. See below for a full list of notebook systems with LSE installed. This issue has been assigned CVE-2015-5684. **Description:** Lenovo Service Engine (LSE) is a utility in the BIOS that helps users download a program called OneKey Optimizer (http://support.lenovo.com/us/en/downloads/ds101321) on certain Lenovo Notebook systems that do not have a Lenovo preloaded operating system installed. The utility also sends non-personally identifiable system data to Lenovo servers (see the “Other Information and References” section for a complete list). Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server. LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines (see link below) on how to best implement this feature. Lenovo’s use of LSE was not consistent with these guidelines and Lenovo recommends customers disable this utility by running a disabler program that disables LSE and removes the LSE files from the system. Instructions on how to download and run this program are below. LSE was shipped on certain notebook systems running Windows 7, 8 and 8.1. The LSE functionality has been removed from newly manufactured systems. **Mitigation Strategy for Customers (what you should do to protect yourself):** LSE was shipped on certain notebook systems running Windows 7, 8 and 8.1. Lenovo has released a disable utility that works on Windows 7, 8, 8.1 and 10 in case a user has already manually updated to Windows 10. **For Windows 8, 8.1 and 10** **If the user is running Windows in UEFI mode:** 1. Run the Lenovo LSE disabler tool as an administrator. A command line window will pop up, stay for approximately 30 seconds and then close automatically. The Lenovo LSE disabler tool is available here. The disabler tool automatically performs the following actions: * Stops the LSE service * Deletes all files installed by the LSE module, which include C:\windows\system32\wpbbin.exe C:\windows\system32\LenovoUpdate.exe C:\windows\system32\LenovoCheck.exe * Repairs the autocheck files in Windows * Disables the UEFI variable that enables LSE if the system is running Windows 8, 8.1 or 10 in UEFI mode 2. Restart your PC **For Windows 7 in any mode, or Windows 8, Windows 8.1 and Windows 10 installed in legacy mode, or if you are not sure if your system is running in either UEFI or legacy mode:** **Model** | **Minimum Fix Version** | **Download URL** ---|---|--- B50-10 | CCCN13WW(V1.02) | Flex 2 Pro-15/Edge 15 (Broadwell) | A9CN46WW | Flex 2 Pro-15/Edge 15 (Haswell) | B9CN17WW | Flex 3-1470/1570 | BDCN30WW | Flex 3-1120 | C0CN25WW | G40-80/G50-80/G50-80 Touch/V3000 | B0CN75WW | G40-80m/G50-80m | CBCN75WW | [Contact your local service representative for the update]() Ideapad 100-14IBY | v1.02 (CCCN13WW) | Ideapad 100-15IBY | v1.02 (CCCN13WW) | S21e | C4CN14WW(V1.04) | S41-70/U41-70 | BDCN30WW | S435/M40-35 | BBCN15WW(V1.06) | U31-70 | AFCN30WW(V2.02) | Yoga3 14 | BACN33WW | Yoga 3 11 | B8CN30WW(V2.08) | Y40-80 | B5CN36WW(V2.02) | Z41-70/Z51-70 | C2CN18WW(V1.04) | Z70-80 / G70-80 | ABCN75WW | 1. Please update your system to run at the latest level BIOS. To do so, please download the update at the appropriate URL below. The systems listed below need to be running at or above the following BIOS versions. The latest level BIOS disables the LSE functionality: 2. Follow the instructions in the Lenovo LSE disabler tool readme file to run the disabler tool. A command line window will pop up, stay for approximately 30 seconds and then close automatically. The Lenovo LSE disabler tool is available here. The disabler tool automatically performs the following actions: * Stops the LSE service * Deletes all files installed by the LSE module, which include C:\windows\system32\wpbbin.exe C:\windows\system32\LenovoUpdate.exe C:\windows\system32\LenovoCheck.exe * Repairs the autocheck files in Windows * Automatically disables the UEFI variable that enables LSE if the system is running Windows 8, 8.1 or 10 in UEFI mode 3. Restart your PC **Product Impact:** **Model** B50-10 --- Flex 2 Pro-15/Edge 15 (Broadwell) Flex 2 Pro-15/Edge 15 (Haswell) Flex 3-1470/1570 Flex 3-1120 G40-80/G50-80/G50-80 Touch/V3000 G40-80m/G50-80m IdeaPad 100-14IBY IdeaPad 100-15IBY S21e S41-70/U40-70 S435/M40-35 U31-70 Yoga 3 14 Yoga 3 11 Y40-80 Z41-70/Z51-70 Z70-80 / G70-80 **Acknowledgements: ** Thanks to Roel Schouwenberg and to Microsoft for reporting these issues **Other information and references:** LSE automatically sends specific system data to a Lenovo server to help us understand how our customers use our products. This data does not contain personally identifiable user information. Data consists of the product name, region information, and configuration information, which includes memory size, SKU number, CPU model, screen resolution, HDD size, display card model, and OS version. This information is collected and sent once when the system first connects to the Internet. ****Link to updated Microsoft WPBT guidelines:**** * **Revision History:** ****Revision**** | ****Date**** | ****Description**** ---|---|--- ** 1.1** | ** 27 Apr 2016** | ** Added affected machine types B50-10, U31-70, Ideapad 100-14IBY and Ideapad 100-15-IBY** ** 1.0** | ** 31 Jul 2015** | ** Initial release**