Lenovo fixed vulnerabilities in its software

Lenovo has fixed two dangerous vulnerabilities in its Solution Center product as part of the LEN-7814 update. Lenovo Solution Center is a special Lenovo application that is used to tweak performance and ease of use with products from the Think family. With it, users can monitor the health, status of network connections and overall system security. The application comes with computers manufactured by Lenovo. All versions of the application under 3.3.003 are subject to update.



The update closes two vulnerabilities, one with identifier CVE-2016-5248 of type Local Privilege Escalation (LPE) and the other CVE-2016-5249 of type RCE + LPE. Using the first vulnerability, an attacker with the rights of a regular user can terminate processes in the system with a higher level of privileges. The second vulnerability is much more dangerous, since it allows attackers to remotely execute code in the system under an account with the maximum LocalSystem rights. In the case of the first vulnerability, an attacker must first gain access to the system, after which he can already use the exploit to complete the processes.
')

Lenovo Security Advisory: LEN-7814
Potential Impact: Arbitrary process termination or code execution by unprivileged local users
Severity: High
Scope of Impact: Lenovo specific

Summary Description:
Lenovo Solution Center local privilege escalation vulnerabilities where it was possible to obtain privilege levels (CVE-2016-5248) or execute arbitrary code (CVE-2016-5249) with LocalSystem account privileges.

There are three ways to install the update for Lenovo Solution Center. The first is to use the built-in auto-update feature of the Solution Center, while the program itself displays a message to the user about the update. The second way is to use the tool Lenovo System Update utility. The third method involves a direct download of an updated version of the program from the Lenovo website through this link .


be secure.