Lenovo laptops susceptible to bug permitting admin privileges

Share your love


Lenovo laptops, together with ThinkPad and Yoga fashions, are susceptible to a privilege elevation bug within the ImControllerService service permitting attackers to execute instructions with admin privileges.

The issues are tracked as CVE-2021-3922 and CVE-2021-3969 and have an effect on the ImControllerService part of all Lenovo System Interface Basis variations under When viewing the Home windows companies display screen, this service has a show identify of “System Interface Basis Service.”

The actual service is a part of Lenovo System Interface Basis, which helps Lenovo units talk with common apps like Lenovo Companion, Lenovo Settings, and Lenovo ID. The service is preinstalled by default on quite a few Lenovo Fashions, together with Yoga and ThinkPad units.

Lenovo IMControllerService Windows service
Lenovo ImControllerService Home windows service

“The Lenovo System Interface Basis Service gives interfaces for key options reminiscent of: system energy administration, system optimization, driver and utility updates, and system settings to Lenovo functions together with Lenovo Companion, Lenovo Settings and Lenovo ID,” reads the outline of the Home windows service.

“In the event you disable this service, Lenovo functions won’t work correctly.”

The invention of the vulnerabilities was the work of researchers at NCC Group, who reported their findings to Lenovo on October 29, 2021.

The pc maker launched the safety updates on November 17, 2021, whereas the related advisory was revealed on December 14, 2021.

Susceptible system part

As a result of ImController must fetch and set up recordsdata from Lenovo servers, execute youngster processes, and carry out system configuration and upkeep duties, it runs with SYSTEM privileges.

SYSTEM privileges are the very best consumer rights out there in Home windows and permit somebody to carry out virtually any command on the working system. Primarily, if a consumer features SYSTEM privileges in Home windows, they acquire full management over the system to put in malware, add customers, or change virtually any system setting.

This Home windows service will spawn additional youngster processes, which open named pipe servers that the ImController service used to speak with the kid course of. When ImController wants considered one of these companies to execute a command, it is going to hook up with the named pipe and subject XML serialized instructions that ought to be executed.

Sadly, the service does not deal with the communications between privileged youngster processes securely and fails to validate the supply of XML serialized instructions. Which means that another course of, even malicious ones, can hook up with the kid course of to subject their very own instructions.

As such, an attacker leveraging this safety hole can ship an instruction to load a ‘plugin’ from an arbitrary location on the filesystem.

“The primary vulnerability is a race situation between an attacker and the father or mother course of connecting to the kid course of’ named pipe,” explains NCC Group

“An attacker utilizing high-performance filesystem synchronization routines can reliably win the race with the father or mother course of to connect with the named pipe.”

The researchers underline that their proof of idea code by no means failed to connect with the named pipe earlier than the father or mother service might accomplish that, which suggests the exploit could be very dependable.

Winning the race to load malicious code
Profitable the race to load malicious code
Supply: NCC Group

The second flaw is a time-of-check to time-of-use (TOCTOU) vulnerability which allows an attacker to stall the loading strategy of a validated ImControllerService plugin and substitute it with a DLL of their selecting.

As soon as the lock is launched and the loading process continues, the DLL is executed, main to privilege escalation.

Loading a malicious plugin.
Loading a malicious plugin by way of ImController
Supply: NCC Group

Updating is the one resolution

All Home windows customers with Lenovo laptops or desktops operating the ImController model or older are suggested to improve to the newest out there model (

To find out what model you are operating, comply with these steps:

  • Open File Explorer and navigate to C:WindowsLenovoImControllerPluginHost.
  • Proper-click on Lenovo.Fashionable.ImController.PluginHost.exe and choose Properties.
  • Click on on the Particulars tab.
  • Learn the File model.

Eradicating the ImController part, or the Lenovo System Interface Basis, out of your gadget will not be formally really helpful as a result of it could have an effect on some capabilities in your gadget, even when it isn’t thought-about important.


Supply hyperlink

Share your love