all InfoSec news
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
Security Boulevard securityboulevard.com
Version: Lenovo Updater Version <= 5.08.01.0009
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater Local Privilege Escalation via Arbitrary File Write
Advisory: https://support.lenovo.com/us/en/product_security/LEN-135367
Vulnerability Overview
The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn’t exist on the filesystem. Due to the ability for any low-privileged user to …
administrators application check directory filesystem lenovo low non privileged privileged user process research root system update updates vulnerability workstation xml