Lenovo laptop owners should update their systems immediately.
Security researchers at SafeBreach found a vulnerability (opens in new tab) in Lenovo System Interface Foundation, a service pre-installed on Lenovo PCs.
Assigned the identification number CVE-2019-6189, the vulnerability can be used by an attacker to take over a machine and plant malicious code, all while remaining hidden.
Lenovo System Interface Foundation is a component required to run Lenovo Settings for Enterprise and Lenovo Vantage, an application pre-installed on almost every modern Lenovo laptop that lets users update drivers, run diagnostics and request support.
It's not clear how many laptops have been targeted, but SafeBreach states "...this service was interesting because it is preinstalled on Windows-based Lenovo PCs. A vulnerability in such a service would have a big impact and would be interesting to many people."
How does it work?
Without getting too deep into the weeds, SafeBreach discovered the CVE-2019-6189 vulnerability by loading an arbitrary DLL, or a file that runs in place of another file, into a signed process that runs as NT AUTHORITY/SYSTEM (an admin account with the highest level privileges).
Specifically, the security research group was able to load Wintrust.dll and execute code within Lenovo.Modern.ImController.PluginHost.Device.
With this sort of access, they could have planted malicious payloads in the Lenovo System Interface Foundation service while posing as a legitimate admin. It could even have done so in a persistent way, which means the damaging code would run every time an infected system was restarted.
SafeBreach explains that the two root causes of the breach in security are that there is no digital certification validation and because of an untrusted DLL search order.
Is your Lenovo laptop in danger?
Lenovo posted a support page (opens in new tab) describing the vulnerability, which it deemed to be of "Medium" severity.
It's important to note that a malicious actor would need administrator privileges on your laptop to exploit this vulnerability, so you should be protected as long as you don't let someone physically access your laptop.
What should I do now?
SafeBreach reported the vulnerability in August and Lenovo pushed out a fix on Nov 19.
To protect your laptop, go to Lenovo's downloads page (opens in new tab) and update Lenovo System Interface Foundations to version 22.214.171.124 (or higher). Once the patch is installed, your system should be protected from the vulnerability.