Skip to main content

Scary Lenovo flaw lets attackers execute malicious code: What to do now

(Image credit: Laptop Mag)

Lenovo laptop owners should update their systems immediately.

Security researchers at SafeBreach found a vulnerability in Lenovo System Interface Foundation, a service pre-installed on Lenovo PCs. 

Assigned the identification number CVE-2019-6189, the vulnerability can be used by an attacker to take over a machine and plant malicious code, all while remaining hidden. 

Lenovo System Interface Foundation is a component required to run Lenovo Settings for Enterprise and Lenovo Vantage, an application pre-installed on almost every modern Lenovo laptop that lets users update drivers, run diagnostics and request support. 

It's not clear how many laptops have been targeted, but SafeBreach states "...this service was interesting because it is preinstalled on Windows-based Lenovo PCs. A vulnerability in such a service would have a big impact and would be interesting to many people." 

How does it work?

Without getting too deep into the weeds, SafeBreach discovered the CVE-2019-6189 vulnerability by loading an arbitrary DLL, or a file that runs in place of another file, into a signed process that runs as NT AUTHORITY/SYSTEM (an admin account with the highest level privileges).  

Specifically, the security research group was able to load Wintrust.dll and execute code within Lenovo.Modern.ImController.PluginHost.Device. 

With this sort of access, they could have planted malicious payloads in the Lenovo System Interface Foundation service while posing as a legitimate admin. It could even have done so in a persistent way, which means the damaging code would run every time an infected system was restarted. 

SafeBreach explains that the two root causes of the breach in security are that there is no digital certification validation and because of an untrusted DLL search order. 

In the past several months, SafeBreach has found similar DLL-injection vulnerabilities in HP and Dell computers, as well as in Bitdefender, Trend Micro, McAfee and Symantec antivirus software.

Is your Lenovo laptop in danger?

Lenovo posted a support page describing the vulnerability, which it deemed to be of "Medium" severity. 

It's important to note that a malicious actor would need administrator privileges on your laptop to exploit this vulnerability, so you should be protected as long as you don't let someone physically access your laptop.

What should I do now?

SafeBreach reported the vulnerability in August and Lenovo pushed out a fix on Nov 19. 

To protect your laptop, go to Lenovo's downloads page and update Lenovo System Interface Foundations to version 1.1.18.3 (or higher). Once the patch is installed, your system should be protected from the vulnerability.