Security News > 2021 > December > Lenovo laptops vulnerable to bug allowing admin privileges
Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges.
The flaws are tracked as CVE-2021-3922 and CVE-2021-3969 and affect the ImControllerService component of all Lenovo System Interface Foundation versions below 1.1.20.3.
The particular service is a component of Lenovo System Interface Foundation, which helps Lenovo devices communicate with universal apps like Lenovo Companion, Lenovo Settings, and Lenovo ID. The service is preinstalled by default on numerous Lenovo Models, including Yoga and ThinkPad devices.
"The Lenovo System Interface Foundation Service provides interfaces for key features such as: system power management, system optimization, driver and application updates, and system settings to Lenovo applications including Lenovo Companion, Lenovo Settings and Lenovo ID," reads the description of the Windows service.
Because ImController needs to fetch and install files from Lenovo servers, execute child processes, and perform system configuration and maintenance tasks, it runs with SYSTEM privileges.
Removing the ImController component, or the Lenovo System Interface Foundation, from your device is not officially recommended because it may affect some functions on your device, even if it's not considered essential.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-18 | CVE-2021-3969 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Lenovo System Interface Foundation A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3that could allow a local attacker to elevate privileges. | 7.0 |
2022-05-18 | CVE-2021-3922 | Race Condition vulnerability in Lenovo System Interface Foundation A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3 that could allow a local attacker to connect and interact with the IMController child process' named pipe. | 7.0 |