Owners of older Lenovo laptops need to uninstall the Lenovo Solution Center as soon as possible.
Security researchers at Pen Test Partners found a critical vulnerability in the Lenovo Solution Center that could hand admin privileges over to hackers or malware.
According to Pen Test Partners, the flaw is a discretionary access control list (DACL) overwrite, which means a low-privileged user can sneak into a sensitive file by exploiting a high-privileged process. This is an example of a "privileged escalation" attack in which a bug can be used to gain access to resources that are normally only accessible to admins.
In this case, an attacker could write a pseudo-file (called a hard link file) that, when run by Lenovo Solution Center, would access sensitive files it otherwise shouldn't be allowed to reach. From there, damaging code could be executed on the system with administrator or system privileges, which is basically game over, as Pen Test Partners notes.
Lenovo Solution Center is a program that was preinstalled on Lenovo laptops from 2011 up until November 2018, which means millions of devices could be affected. Ironically, the program's purpose is to monitor the health and security of a Lenovo PC. While this flaw isn't such a big concern for individual users who can quickly protect their systems, larger companies who own a fleet of older ThinkPad laptops and use legacy software might be slow to adapt.
For its part, Lenovo published a security statement warning users about the bug and urging them to uninstall Solution Center, which the company no longer supports.
"A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018," reads the statement.
Lenovo didn't specify when it stopped shipping laptops with Solution Center pre-installed, so it's possible that many Lenovo laptops that are less than one year old carry unsupported software with major flaws.
Lenovo has also been accused of covering its tracks. According to Pen Test Partners, after they informed Lenovo of the vulnerability, the computer maker allegedly rolled back Solution Center's end-of-life date by several months to make it seem like the feature was discontinued before the last version was released in November 2018.
"It’s often the case for applications that reach end of support that we continue to update the applications as we transition to new offerings is to ensure customers that have not transitioned, or choose not to, still have a minimal level of support, a practice that is not uncommon in the industry," Lenovo told The Register when asked about the discrepancy.
Whether Lenovo is being sly or not, the bottom line is this: if you own a Lenovo laptop manufactured between 2011 and 2018, then absolutely get rid of Lenovo Solution Center as soon as possible. You can do so by following this simple guide on how to uninstall programs on Windows 10.
Laptop Magazine has reached out to Lenovo for comment, and we will update this story when we receive a reply.