Vulnerabilities > CVE-2015-8109 - Credentials Management vulnerability in Lenovo System Update

CVSS 6.9 - MEDIUM

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

lenovo

CWE-255

NVD

Published: 2017-04-24

Updated: 2017-04-29

Summary

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Lenovo Lenovo Lenovo System Update *	1

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

References

http://www.securityfocus.com/bid/98039
https://ioactive.com/pdfs/IOActive_Advisory_Lenovo_SystemUpdate-Insecure-Random-Admin-Password.pdf
https://support.lenovo.com/us/en/product_security/lsu_privilege