Published: 24/04/2017 Updated: 29/04/2017

CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4

CVSS v3 Base Score: 7 | Impact Score: 5.9 | Exploitability Score: 1

VMScore: 614

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Lenovo System Update (formerly ThinkVantage System Update) prior to 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability."

Vulnerable Product	Search on Vulmon	Subscribe to Product
lenovo lenovo system update

Lenovo slings privilege patches at in-built tools

The Register • Team Register • 26 Nov 2015

Temp account means God mode for regular users.

IOActive security bod Sofiane Talmat has found two since-patched privilege escalation vulnerabilities in Lenovo System Update utility. The tool keeps drivers and BIOS up to date. Talmat found the tool's help function contains a vulnerability (CVE-2015-8109) that can allow regular users to gain administrative access. "Since the main application Tvsukernel.exe is running as Administrator, the web browser instance that starts to open a help URL inherits the parent administrator privileges," Talmat ...

CVE-2015-8109

Vulnerability Summary

Recent Articles

References

Vulmon Search

About

Products

Connect