IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lenovo ThinkPads vulnerable to privilege escalation exploit, researchers warn

A component running on the popular business computers is vulnerable to a chained exploit that grants full access to attackers

A front view of a Lenovo ThinkPad store in Beijing, China

Users of Lenovo's range of ThinkPad workstations have been warned to patch their systems following the discovery of flaws that allows hackers to launch privilege escalation attacks.

It's believed that two separate flaws can be chained together to target the ImControllerService component and change a user's access level to a system, according to security researchers at NCC Group.

The ImControllerService is a component present on Lenovo's ThinkPad hardware range and controls tasks such as system power management and app and driver updates.

The vulnerability can be triggered by exploiting two flaws, tracked as CVE-2021-3922 and CVE-2021-3969, affecting the way in which the ImControllerService handles the execution of highly privileged child processes, NCC Group said.

The normal running of a system will have the ImControllerService periodically start child processes that open named pipe servers. These named pipe servers connect to the parent process in order to retrieve and execute the necessary XML serialised commands.

One of these commands is to load a plugin from an arbitrary location on the system. The child process is required to validate the digital signature of the plugin dynamic-link library (DLL) before loading and executing the file.

However, hackers are able to hijack this process in order to change privileges and load any payload of their choosing onto the machine.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

The first vulnerability lies in the fact that the child process fails to check whether the source of the initial connection is legitimate. This creates a race condition that effectively sees the hacker try and make a connection with the named pipe ahead of the parent process.

"An attacker using high-performance filesystem synchronisation routines can reliably win the race with the parent process to connect to the named pipe," said NCC Group. During testing NCC Group’s proof of concept code never failed to connect to the named pipe before the parent service could do so.

"Because the child process does not validate the source of the connection it will begin accepting commands from the attacker after the race condition has been exploited."

NCC Group's screenshot of the Lenovo ImControllerService showing a named pipe in a child process

A named pipe in a child process

NCC Group

The second vulnerability is a time-of-check to time-of-use flaw, which stems from how the child process validates the plugin it's being asked to load. When loading a DLL, the child process validates its authenticity by checking if it's signed by Lenovo.

However, attackers can use opportunistic locking (OpLocks) on a file to stall the validation process long enough for them to load their own DLL. Once the lock is released, the machine will load the DLL of the attacker's choosing which leads to privilege escalation.

A screenshot of the Lenovo ImControllerService with highlighted areas showing the exploit chain

The Lenovo two-vulnerability exploit chain

NCC Group

Lenovo has released an advisory in which it warns users to patch machines to the latest IMController version (version 1.1.20.3). The component is automatically updated by the Lenovo System Interface Foundation Service, which means the update can be triggered by rebooting the machine or manually restarting the 'System Interface Foundation Service' service, it said.

It's currently unclear how many Lenovo machines were, or currently are, thought to be affected globally, but Lenovo told IT Pro: "Lenovo worked with NCC in line with industry best practices and fixed the issue in November and customers are already protected."

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerability
vulnerability

Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerability

10 Nov 2022
Lenovo ThinkPad Z13 Gen 1 review: A ThinkPad for the mainstream
Laptops

Lenovo ThinkPad Z13 Gen 1 review: A ThinkPad for the mainstream

26 Sep 2022
Lenovo ThinkPad X1 Carbon Gen 10 review: Quite simply the best compact business laptop
Laptops

Lenovo ThinkPad X1 Carbon Gen 10 review: Quite simply the best compact business laptop

30 Aug 2022
Lenovo expands its Evolve Small support initiative to cover all minority-led SMBs
SMB

Lenovo expands its Evolve Small support initiative to cover all minority-led SMBs

23 Aug 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be
monitors

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Defra's legacy software problem 'threatens' UK gov cyber security until 2030
Business strategy

Defra's legacy software problem 'threatens' UK gov cyber security until 2030

6 Dec 2022