PC maker, Lenovo had released a new version of its System
Update software to fix some privilege escalation vulnerabilities discovered by
an IO Active researcher, Sofiane Talmat.
Lenovo System Update is software which is designed to help
users obtain driver, BIOS and application updates for Lenovo and Think systems.
Previously it was also known as Think Vantage System Update.
The system update validates all system update files when
they are downloaded from Lenovo servers.
However, in cases of a malware being present, the downloaded updates can
be altered before installation. The latest version released eliminates this
possibility.
The System uses SUService.exe to run updates. The service
only accepts command when a valid security token is passed along with the
command. This process is part of the authentication and validation process.
Though utmost precaution was taken during system updates a
big vulnerability was discovered on how the security token was generated
allowing an attacker to run commands. The latest Lenovo System Update released
fixed the token authentication flaws.
Talmat also discovered a local underprivileged attacker
could execute commands like a privilege user of Windows system.
In the system update, an application, GUI is executed with
temporary administrator account which includes link to various Lenovo website’s
pages. As the link is clicked, the web pages open in a browser launched by
temporary admin account which allows an attacker to leverage this browser
session.
The vulnerabilities were reported to Lenovo on November 2
and they were patched on November 19 with the release of System Update
5.07.0019.
Apart from this, the PC Company has released many new
versions of its system update software to address issues, including that of researchers
from Trustwave, IOActive and Tencent’s Xuanwu Lab.