Lenovo ThinkPads vulnerable to privilege escalation exploit, researchers warn

A component running on the popular business computers is vulnerable to a chained exploit that grants full access to attackers

A front view of a Lenovo ThinkPad store in Beijing, China

Users of Lenovo's range of ThinkPad workstations have been warned to patch their systems following the discovery of flaws that allows hackers to launch privilege escalation attacks.

It's believed that two separate flaws can be chained together to target the ImControllerService component and change a user's access level to a system, according to security researchers at NCC Group.

The ImControllerService is a component present on Lenovo's ThinkPad hardware range and controls tasks such as system power management and app and driver updates.

The vulnerability can be triggered by exploiting two flaws, tracked as CVE-2021-3922 and CVE-2021-3969, affecting the way in which the ImControllerService handles the execution of highly privileged child processes, NCC Group said.

The normal running of a system will have the ImControllerService periodically start child processes that open named pipe servers. These named pipe servers connect to the parent process in order to retrieve and execute the necessary XML serialised commands.

One of these commands is to load a plugin from an arbitrary location on the system. The child process is required to validate the digital signature of the plugin dynamic-link library (DLL) before loading and executing the file.

However, hackers are able to hijack this process in order to change privileges and load any payload of their choosing onto the machine.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

The first vulnerability lies in the fact that the child process fails to check whether the source of the initial connection is legitimate. This creates a race condition that effectively sees the hacker try and make a connection with the named pipe ahead of the parent process.

"An attacker using high-performance filesystem synchronisation routines can reliably win the race with the parent process to connect to the named pipe," said NCC Group. During testing NCC Group’s proof of concept code never failed to connect to the named pipe before the parent service could do so.

"Because the child process does not validate the source of the connection it will begin accepting commands from the attacker after the race condition has been exploited."

NCC Group's screenshot of the Lenovo ImControllerService showing a named pipe in a child process

A named pipe in a child process

NCC Group

The second vulnerability is a time-of-check to time-of-use flaw, which stems from how the child process validates the plugin it's being asked to load. When loading a DLL, the child process validates its authenticity by checking if it's signed by Lenovo.

However, attackers can use opportunistic locking (OpLocks) on a file to stall the validation process long enough for them to load their own DLL. Once the lock is released, the machine will load the DLL of the attacker's choosing which leads to privilege escalation.

A screenshot of the Lenovo ImControllerService with highlighted areas showing the exploit chain

The Lenovo two-vulnerability exploit chain

NCC Group

Lenovo has released an advisory in which it warns users to patch machines to the latest IMController version (version 1.1.20.3). The component is automatically updated by the Lenovo System Interface Foundation Service, which means the update can be triggered by rebooting the machine or manually restarting the 'System Interface Foundation Service' service, it said.

It's currently unclear how many Lenovo machines were, or currently are, thought to be affected globally, but Lenovo told IT Pro: "Lenovo worked with NCC in line with industry best practices and fixed the issue in November and customers are already protected."

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

The IT Pro Products of the Year 2021: The year’s best hardware and software
Hardware

The IT Pro Products of the Year 2021: The year’s best hardware and software

31 Dec 2021
Lenovo Tab P11 Pro review: A superb Android tablet with a convenient keyboard case
tablets

Lenovo Tab P11 Pro review: A superb Android tablet with a convenient keyboard case

13 Dec 2021
Esper and Lenovo simplify enterprise Android device deployment
tablets

Esper and Lenovo simplify enterprise Android device deployment

22 Oct 2021
Lenovo ThinkPad X1 Titanium Yoga review: Slim, light, but only alright
Laptops

Lenovo ThinkPad X1 Titanium Yoga review: Slim, light, but only alright

28 Sep 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022