After a year of security blunders for PC manufacturers - Lenovo, Dell and Toshiba have been caught bundling insecure software on their PCs. This isn’t new for Lenovo or Dell, who have both been found to have security flaws on their PCs in recent months.
The vulnerabilities were discovered and recently disclosed by security researcher, Slipstream, who has previously been in the news for similar discoveries.
The vulnerabilities are pretty high on the severity scale, particularly for Lenovo, where exploits can be triggered remotely and executed with SYSTEM-level permissions.
A summation of the bugs, according to CERN and Slipstream:
- Lenovo
- Lenovo Solution Center creates a process called LSCTaskService that runs with full administrator rights, and fires up a web server on port 55555. It can be instructed via GET and POST HTTP requests to execute code in a directory a local user can access.
- Lenovo Solution Center will execute, again with full privileges, programs found in an arbitrary location on disk where the user can write to. Put some bad software in there, and it will be executed with admin rights.
- A classic cross-site request forgery (CSRF) vulnerability exists in the LSCTaskService process, allowing any visited webpage to pass commands to the local web server to execute with full privileges.?
- Dell"s bundled utility Dell System Detect can be made to gain admin privileges and execute arbitrary commands – by feeding it a security token downloaded from, er, dell.com: a token granting Dell System Detect permission to install manuals can be abused to execute programs (such as malware) with admin privileges. This can be exploited by software on your computer to fully compromise the machine.
- Toshiba"s bundled Service Station tool can be abused by normal users and unprivileged software to read the majority of the operating system"s registry as a SYSTEM-level user.
The current advice from both US CERT and Lenovo is to uninstall the Lenovo System Center. As for the other vendors, we are yet to hear any official recommendations.
Solution
The CERT/CC is currently unaware of a practical solution to this problem. However, please consider the following workaround:Uninstall or close Lenovo Solution Center
Uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities. Closing any running instance of Lenovo Solution Center also prevents exploitation.
Source: The Register