Vulnerabilities > CVE-2015-2234 - Race Condition vulnerability in Lenovo System Update 5.06.0027

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
lenovo
CWE-362
nessus

Summary

Race condition in Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses world-writable permissions for the update files directory, which allows local users to gain privileges by writing to an update file after the signature is validated.

Vulnerable Configurations

Part Description Count
Application
Lenovo
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL familyWindows
NASL idLENOVO_SU_5_6_0_34.NASL
descriptionThe version of Lenovo System Update installed on the remote host is prior to 5.06.0034. It is, therefore, affected by the following vulnerabilities : - A flaw exists in SUService.exe (System Update service) due to generating security tokens for a named pipe in a predictable manner. A local attacker, by sending a valid token, can exploit this flaw to execute commands to gain elevated privileges. (CVE-2015-2219) - A flaw exists due to a failure to properly validate the certificate authority chain when downloading updates. A man-in-the-middle attacker, using a crafted certificate, can exploit this flaw to inject malicious updates, thereby allowing the execution of arbitrary files. (CVE-2015-2233) - A flaw exists due to signature validation for updates occurring in a directory having world-writeable permissions. This can allow a local attacker to swap the update before it is installed and thereby gain elevated privileges. (CVE-2015-2234) Note that Nessus has not tested for these issues but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id83736
published2015-05-21
reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/83736
titleLenovo System Update < 5.06.0034 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83736);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/12 19:01:17");

  script_cve_id("CVE-2015-2219", "CVE-2015-2233", "CVE-2015-2234");
  script_bugtraq_id(74634, 74642, 74649);

  script_name(english:"Lenovo System Update < 5.06.0034 Multiple Vulnerabilities");
  script_summary(english:"Checks the file version of Lenovo System Update.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Lenovo System Update installed on the remote host is
prior to 5.06.0034. It is, therefore, affected by the following
vulnerabilities :

  - A flaw exists in SUService.exe (System Update service)
    due to generating security tokens for a named pipe in a
    predictable manner. A local attacker, by sending a valid
    token, can exploit this flaw to execute commands to gain
    elevated privileges. (CVE-2015-2219)

  - A flaw exists due to a failure to properly validate the
    certificate authority chain when downloading updates. A
    man-in-the-middle attacker, using a crafted certificate,
    can exploit this flaw to inject malicious updates,
    thereby allowing the execution of arbitrary files.
    (CVE-2015-2233)

  - A flaw exists due to signature validation for updates
    occurring in a directory having world-writeable
    permissions. This can allow a local attacker to swap the
    update before it is installed and thereby gain elevated
    privileges. (CVE-2015-2234)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://support.lenovo.com/us/en/product_security/lsu_privilege");
  script_set_attribute(attribute:"solution", value:"Upgrade to Lenovo System Update 5.06.0034 or later.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Lenovo System Update Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:lenovo:system_update");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("lenovo_su_detection.nbin");
  script_require_keys("installed_sw/Lenovo System Update");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app = "Lenovo System Update";

install = get_single_install(app_name: app, exit_if_unknown_ver: TRUE);

path = install['path'];
version = install['version'];

fix = "5.6.0.34";

# Versions < 5.6.0.34 are vulnerable.
if (ver_compare(ver: version, fix: fix, strict:FALSE) < 0)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  if (report_verbosity > 0)
  {
    productname = get_kb_item("SMB/ProductName");

    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version;

    if ( "XP" >< productname || "Vista" >< productname)
    {
      report +=
        '\n' +
        '\n  Lenovo System Update is no longer supported on Windows XP and Windows Vista hosts.' +
        '\n  Please refer to the vendor advisory for more information.' +
        '\n';
    }
    else
    {
      report +=
        '\n  Fixed version     : ' + fix +
        '\n';
    }
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);