CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater | allinfosecnews.com

Oct. 26, 2023, 4:52 p.m. | Matt Nelson

Security Boulevard securityboulevard.com

Version: Lenovo Updater Version <= 5.08.01.0009
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater Local Privilege Escalation via Arbitrary File Write
Advisory: https://support.lenovo.com/us/en/product_security/LEN-135367

Vulnerability Overview

The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn’t exist on the filesystem. Due to the ability for any low-privileged user to …

administrators application check directory filesystem lenovo low non privileged privileged user process research root system update updates vulnerability workstation xml

More from securityboulevard.com / Security Boulevard

Navigating Email: From Spam Wars to Trusted Relationships 3 hours ago | securityboulevard.com

art call communication email +6

USENIX Security ’23 – Intender: Fuzzing Intent-Based Networking with Intent-State Transition Guidance 21 hours ago | securityboulevard.com

access authors channel conference +20

Disgraced, Twice Impeached, Former President Joins His Long List Of Campaign And Administration Officials And … 21 hours ago | securityboulevard.com

administration advisors campaign candidates +8

What is an IS (RBI) Audit? 1 day, 5 hours ago | securityboulevard.com

address audit banking banks +27

The Ultimate Guide to FedRAMP Marketplace Designations 1 day, 13 hours ago | securityboulevard.com

agency authentication can cloud +19

Understanding Credential Phishing 1 day, 13 hours ago | securityboulevard.com

attackers breach breaches ceo +23

Adaptive DDoS Defense’s Value in the Security Ecosystem 1 day, 14 hours ago | securityboulevard.com

adaptive ddos analytics & intelligence and response attack +24

Understanding Business Email Compromise (BEC) 1 day, 14 hours ago | securityboulevard.com

attackers attacks bec business +17

Risk vs. Threat vs. Vulnerability: What is the difference? 1 day, 15 hours ago | securityboulevard.com

ciso suite click cyber lingo cyber security risks +11

CyberSOC Technical Lead

@ Integrity360 | Sandyford, Dublin, Ireland

View on infosec-jobs.com

Cyber Security Strategy Consultant

@ Capco | New York City

View on infosec-jobs.com

Cyber Security Senior Consultant

@ Capco | Chicago, IL

View on infosec-jobs.com

Sr. Product Manager

@ MixMode | Remote, US

View on infosec-jobs.com

Security Compliance Strategist

@ Grab | Petaling Jaya, Malaysia

View on infosec-jobs.com

Cloud Security Architect, Lead

@ Booz Allen Hamilton | USA, VA, McLean (1500 Tysons McLean Dr)

View on infosec-jobs.com