Vulnerabilities > CVE-2015-8109 - Credentials Management vulnerability in Lenovo System Update 5.07.0013

CVSS 7.0 - HIGH

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

high complexity

lenovo

CWE-255

NVD

Published: 2017-04-24

Updated: 2017-04-29

Summary

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Lenovo Lenovo Lenovo System Update 5.07.0013	1

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

References

https://support.lenovo.com/us/en/product_security/lsu_privilege
https://ioactive.com/pdfs/IOActive_Advisory_Lenovo_SystemUpdate-Insecure-Random-Admin-Password.pdf
http://www.securityfocus.com/bid/98039