A high-severity privilege escalation bug has been discovered in Lenovo Solution Center (LSC) software, reports Pen Test Partners.
The vulnerability - CVE-2019-6177 - is a discretionary access control list (DACL) overwrite, which means that a high-privileged Lenovo process overwrites the privileges of a file, giving all users on the system full control of that file. This includes a low-privileged user, who can write a 'hardlink' file to the controllable location (a pseudofile that points to any other file - of which the low-privileged user doesn’t have control - on the system).
When the Lenovo process runs, "it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to. This can be used to execute arbitrary code on the system with Administrator or SYSTEM privileges."
Among other things, the LSC monitors virus and firewall status, updates software and performs backups, checks battery health, and gets warranty and registration details. The software was released in 2011 and went 'end of life' in November, 2018, meaning the bug could have been sitting within LSC-intalled machines for up to eight years.
Read the full Pen Test Partners findings.
