IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lenovo ThinkPads vulnerable to privilege escalation exploit, researchers warn

A component running on the popular business computers is vulnerable to a chained exploit that grants full access to attackers

A front view of a Lenovo ThinkPad store in Beijing, China

Users of Lenovo's range of ThinkPad workstations have been warned to patch their systems following the discovery of flaws that allows hackers to launch privilege escalation attacks.

It's believed that two separate flaws can be chained together to target the ImControllerService component and change a user's access level to a system, according to security researchers at NCC Group.

The ImControllerService is a component present on Lenovo's ThinkPad hardware range and controls tasks such as system power management and app and driver updates.

The vulnerability can be triggered by exploiting two flaws, tracked as CVE-2021-3922 and CVE-2021-3969, affecting the way in which the ImControllerService handles the execution of highly privileged child processes, NCC Group said.

The normal running of a system will have the ImControllerService periodically start child processes that open named pipe servers. These named pipe servers connect to the parent process in order to retrieve and execute the necessary XML serialised commands.

One of these commands is to load a plugin from an arbitrary location on the system. The child process is required to validate the digital signature of the plugin dynamic-link library (DLL) before loading and executing the file.

However, hackers are able to hijack this process in order to change privileges and load any payload of their choosing onto the machine.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

The first vulnerability lies in the fact that the child process fails to check whether the source of the initial connection is legitimate. This creates a race condition that effectively sees the hacker try and make a connection with the named pipe ahead of the parent process.

"An attacker using high-performance filesystem synchronisation routines can reliably win the race with the parent process to connect to the named pipe," said NCC Group. During testing NCC Group’s proof of concept code never failed to connect to the named pipe before the parent service could do so.

"Because the child process does not validate the source of the connection it will begin accepting commands from the attacker after the race condition has been exploited."

NCC Group's screenshot of the Lenovo ImControllerService showing a named pipe in a child process

A named pipe in a child process

NCC Group

The second vulnerability is a time-of-check to time-of-use flaw, which stems from how the child process validates the plugin it's being asked to load. When loading a DLL, the child process validates its authenticity by checking if it's signed by Lenovo.

However, attackers can use opportunistic locking (OpLocks) on a file to stall the validation process long enough for them to load their own DLL. Once the lock is released, the machine will load the DLL of the attacker's choosing which leads to privilege escalation.

A screenshot of the Lenovo ImControllerService with highlighted areas showing the exploit chain

The Lenovo two-vulnerability exploit chain

NCC Group

Lenovo has released an advisory in which it warns users to patch machines to the latest IMController version (version 1.1.20.3). The component is automatically updated by the Lenovo System Interface Foundation Service, which means the update can be triggered by rebooting the machine or manually restarting the 'System Interface Foundation Service' service, it said.

It's currently unclear how many Lenovo machines were, or currently are, thought to be affected globally, but Lenovo told IT Pro: "Lenovo worked with NCC in line with industry best practices and fixed the issue in November and customers are already protected."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probe
Security

IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probe

22 Apr 2022
PC sales slow in 2022 after pandemic recovery begins
Hardware

PC sales slow in 2022 after pandemic recovery begins

11 Apr 2022
IT Pro News In Review: The Works cyber attack, Lenovo recruitment drive, old macOS vulnerabilities
cyber security

IT Pro News In Review: The Works cyber attack, Lenovo recruitment drive, old macOS vulnerabilities

8 Apr 2022
Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible
Laptops

Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible

14 Mar 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022