Lenovo System Update Arbitrary Code Execution Vulnerability (CVE-2015-2219)
Lenovo System Update Arbitrary Code Execution Vulnerability (CVE-2015-2219)
Release date:
Updated on:
Affected Systems:
Lenovo System Update <= 5.6.0.27
Description:
CVE (CAN) ID: CVE-2015-2219
Lenovo System Update is a member of the ThinkVantage software family for automatic updates to the ThinkPad System, including device drivers and Windows System patches.
Lenovo System Update 5.6.0.27 and earlier versions use predictable security tokens. This vulnerability allows attackers to execute arbitrary commands with SYSTEM user privileges.
<* Source: IOActive
Link: http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf
*>
Suggestion:
Vendor patch:
Lenovo
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.lenovo.com/ca/en/
This article permanently updates the link address: