Published: 24/04/2017 Updated: 28/04/2017

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 641

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Lenovo System Update (formerly ThinkVantage System Update) prior to 5.07.0019 allows local users to gain privileges by navigating to (1) "Click here to learn more" or (2) "View privacy policy" within the Tvsukernel.exe GUI application in the context of a temporary administrator account, aka a "local privilege escalation vulnerability."

Vulnerable Product	Search on Vulmon	Subscribe to Product
lenovo lenovo system update

Lenovo slings privilege patches at in-built tools

The Register • Team Register • 26 Nov 2015

Temp account means God mode for regular users.

IOActive security bod Sofiane Talmat has found two since-patched privilege escalation vulnerabilities in Lenovo System Update utility. The tool keeps drivers and BIOS up to date. Talmat found the tool's help function contains a vulnerability (CVE-2015-8109) that can allow regular users to gain administrative access. "Since the main application Tvsukernel.exe is running as Administrator, the web browser instance that starts to open a help URL inherits the parent administrator privileges," Talmat ...

CVE-2015-8110

Vulnerability Summary

Recent Articles

References

Vulmon Search

About

Products

Connect