Multiple security restriction bypass vulnerabilities in the Lenovo ThinkManagement Console

Release date:
Updated on:

Affected Systems:
Lenovo ThinkManagement Console 9.0.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52023

The Lenovo ThinkManagement Console is an inventory management tool.

The Lenovo ThinkManagement Console has a security vulnerability that can be exploited by malicious users to operate data or control user systems.

1) ServerSetup web service (/landesk/managementsuite/core. anonymous/ServerSetup. asmx) allows unauthorized access to some SOAP operations. Attackers can upload arbitrary files to the Web root using the "-PutUpdateFileCore" command in the "RunAMTCommand" operation.

2) when processing some SOAP operations, VulCore (/WSVulnerabilityCore/VulCore. asmx) has the input verification vulnerability. You can use the "filename" parameter in the "SetTaskLogByFile" operation to delete arbitrary files through the directory traversal sequence.

<* Source: Andrea Micalizzi

Link: http://secunia.com/advisories/47666/
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Lenovo
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.lenovo.com/ca/en/