New security vulnerability found in Lenovo Solution Centre software
Lenovo Solution Centre (LSC) software has a critical vulnerability that allows attackers with local network access to a PC to execute arbitrary code, said researchers at Trustwave SpiderLabs. Once a malicious attacker has access to local network, they can use the software to uplift their privileges and then trick LSC into running the arbitrary code in the local system context when starting up its service.
LSC comes preloaded on nearly all Lenovo business and consumer desktops and laptop PCs. The software acts as a dashboard monitoring system health and security from battery life, driver updates and firewall status.
A fix for the vulnerability was released by Lenovo and can be downloaded by visiting the software’s page on their website. This is the second time the computer maker has had to patch LSC – the first being December 2015.
“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 it updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” a Lenovo spokesperson told Threatpost.
“This is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack,” Sigler said in an email interview with Threatpost. He said the attack can’t be exploited remotely. “For a malicious insider or for an attacker that already has a foothold in the network, this vulnerability could be used to make that foothold a full gateway to your network,” he said.
This is not the first time it has faced problems with its pre-installed software that has security flaws. Last year, the company faced a lawsuit after it pre-installed the SuperFish “man-in-the-middle” adware on a number of its consumer-based PCs, which could steal personal data. The company admitted to making a mistake and distributed fixes that removed applications and certificates based on SuperFish from purchased Lenovo solutions. Uninstall instructions were also provided.