Skip to main content

Lenovo issues update fixing software vulnerabilities on many of its computers

Lenovo ThinkPad X1 Yoga
Bill Roberson/Digital Trends
Information security company Trustwave Holdings provided Digital Trends with an early glimpse into an upcoming blog set to be published on Friday afternoon, stating that the firm has discovered multiple vulnerabilities in the Lenovo Solution Center software that’s pre-installed on most Lenovo products including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select Ideapad laptops.

The report was provided by Trustwave’s Martin Rakhmanov, and reveals that the vulnerabilities in this specific Lenovo software suite allows “unprivileged” local users to run arbitrary code with the highest system-level privileges. Typically, only the administrator has full system access, but the problem allows any non-administrator account on the computer to be used to hack the system.

Recommended Videos

The exploits were discovered in Lenovo Solution Center version 2.8.006 but affects all versions prior to 3.3.0002. Hackers can simply open up the Command Prompt to launch the Lenovo Solution Center service, or launch the Lenovo System Health and Diagnostics application through the Control Panel. After that, the hackers can enter a specific URL in any web browser and pull up the Device Manager running as LocalSystem instead of the current non-administrative user.

Please enable Javascript to view this content

With Device Manager now loaded, hackers can install a new “driver” that will execute whatever code they choose in user mode or kernel mode. However, the report said that the kernel mode drivers must be signed by default whereas the user mode drivers can run as a LocalService account. To execute the code, hackers must create a “dummy” driver with an INF file that points back to a malicious DLL file stored on the hard drive.

That said, hackers merely use the “Add legacy hardware” option in Device Manager, select “Install the hardware that I manually select from a list (Advanced),” then “Show All Devices,” and finally “Have Disk.” The hackers then locate the INF file and agree to install non-verified driver software.

According to the report, Trustwave contacted Lenovo about the issue with Lenovo Solution Center on January 11. Subsequently, a patch was released by Lenovo on April 26. Lenovo has provided a warning page here that explains the situation and adds that hackers can attack the vulnerable PC remotely as well. The company also points out that while Lenovo Solution Center may not be actively running on the screen, the vulnerable backend service process continues to run.

“A cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine.  The user’s computer may still be vulnerable even if the LSC user interface is not running,” the warning current states.

The release history shows that 3.3.002 is the latest version of Lenovo Solution Center. Customers are encouraged to upgrade the software by clicking “Yes” or “Update Now” when prompted on the program’s user interface, depending on the version currently installed.

As previously stated, Lenovo installs this software on most of its PCs. The suite serves as a hub for monitoring the system’s health and security such as firewall status, antivirus status, battery health, and more. It joins a number of other software components Lenovo loves to install like Lenovo App Shop, Lenovo Companion, Lenovo Reach, and so on.

This isn’t the first time Lenovo has experienced troubles with its pre-installed software. The company faced a lawsuit early last year after it pre-installed the SuperFish “man-in-the-middle” adware on a number of its consumer-based PCs. SuperFish not only injects suggested ads into search results, but can cause severe security issues. The company admitted to making a mistake and distributed fixes that removed applications and certificates based on SuperFish from purchased Lenovo solutions. Uninstall instructions were also provided here.

We reached out to Lenovo for a comment but have yet to receive a reply.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Get a Copilot+ laptop for under $1,000 with this Best Buy deal
Acer Swift 14 AI front view showing display and keyboard.

Microsoft's Copilot is an amazing AI assistant, and Copilot+ PCs and laptops are designed to take advantage of the technology. The Acer Swift 14 AI is an excellent example, and it's available from Best Buy with a huge $400 discount that slashes its price from $1,200 to only $800. We're not sure how much time is remaining before this offer expires, but if you want to make sure that you buy this powerful machine for less than $1,000, we highly recommend proceeding with your purchase as soon as possible.

Why you should buy the Acer Swift 14 AI
The Acer Swift 14 AI is a Copilot+ laptop that's made by one of the best laptop brands, so you can be sure you're getting a high-quality device. With Microsoft's Copilot running on the laptop itself, you'll receive faster response times from the AI with enhanced security, for tasks such as finding documents and web pages using Recall, generating and editing images, and translating between languages in real-time. The Acer Swift 14 AI can handle these functions because it's powered by the Qualcomm Snapdragon X Elite processor, Qualcomm Snapdragon X Elite Adreno Graphics, and 16GB of RAM.

Read more
This 17-inch LG laptop is $700 off, but you need to hurry
LG Gram 17 2021 laptop

If you want your next laptop to have a relatively big screen, you should check out Best Buy's offer for the LG Gram 17. From its original price of $1,800, it's down to a more reasonable $1,100 following a $700 discount. There's no telling how much time remains before this bargain ends though, so if you want to get this device for a much lower price than usual, you're going to have to hurry with your purchase. As with most laptop deals, any delay may cause you to miss out on the savings.

Why you should buy the LG Gram 17 laptop
If you like working on a large display, you should heavily consider going for the LG Gram 17. The laptop is equipped with a 17-inch screen with a 16:10 aspect ratio and Full HD resolution, so you'll clearly see all the details of your projects. It's also great for watching streaming shows and browsing social media whenever you're taking a break because of its vivid colors. Despite a display that's larger than most of its peers, the LG Gram 17 maintains portability, as it's exceptionally light and it offers a long battery life, while promising durability as it meets military-grade standards.

Read more
Quick! This RTX 4080-powered gaming laptop is under $2,000
A Lenovo Legion Pro 7i at a side angle.

For one of the best gaming laptop deals around -- and one I’m personally tempted by -- check out what Walmart has to offer. Right now, you can buy the Lenovo Legion Pro 7i for just $2,000. It normally costs $2,650 thanks to its high-end hardware, but right now you can save $650 and score a gaming laptop that will last you a long time to come. One of the best laptop deals around, let’s take a look at why you’ll love it.

Why you should buy the Lenovo Legion Pro 7i
Lenovo is one of the best gaming laptop brands out there and one that I have used extensively in the past. Its Legion range is the one to check out for gaming, and it’s always consistently great. With this Lenovo Legion Pro 7i, you get a 14th-generation Intel Core i9-14900HX CPU with 16GB of RAM and 1TB of SSD storage space. There’s also an Nvidia GeForce RTX 4080 graphics card, so you’re in great hands for some high-end gaming.

Read more