Connect with us

Hi, what are you looking for?



Lenovo Patches Critical ‘System Update’ Vulnerabilities

Lenovo has patched critical flaws in its computers that allow an attacker to compromise the System Update service.

Lenovo has patched critical flaws in its computers that allow an attacker to compromise the System Update service.

As its name implies, Lenovo’s System Update feature downloads system updates from the Internet. Security researchers at IOActive however identified multiple vulnerabilities that could enable attackers to wreak havoc. The first of the vulnerabilities, if exploited, allows a local least-privileged user to run commands as the system user. 

According to IOActive, this is due to System Update using a predictable security token.

“Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk,” according to the advisory. “Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user.”

The second issue has to do with signature validation issues. If left unpatched, local and remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious ones. Specifically, Lenovo failed to validate the certificate authority (CA) chain, allowing an attacker to potentially create a fake CA and use it to create a fraudulent code-signing certificate.

“Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable,” according to the advisory. “The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks.”

Failing to validate a certificate properly gives attackers a powerful weapon to circumvent security, said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

Advertisement. Scroll to continue reading.

“With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected,” he said. “Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”

The final flaw allows local unprivileged users to run commands as administrators. While the System Update checks for a signature before running executables downloaded from the Internet, it does so in a directory that is writeable by any user.

“As a result of saving the executables in a writable directory, Lenovo created a race condition between verifying the signature and executing the saved executable,” according to IOActive. “A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable.”

All three vulnerabilities were patched in April.   

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.