And security issues in hardware and systems continue to surface, even into the end of the year. Two flaws in the ImControllerService service, present in Lenovo notebooks and desktops, such as the ThinkPad and Yoga models, allow attackers to escalate the privilege of operating system accounts and thereby take control of the machines in question.

The vulnerabilities were discovered by security research group NCC Group, which reported the flaws to Lenovo on October 29, 2021. The company, in turn, released updates fixing them on November 17, and eventually released a report of the problem last Tuesday (14).

The faults, recorded as CVE-2021-3922 and CVE-2021-3969, affect Lenovo System Interface’s ImControllerService component, used to communicate with universal enterprise applications, with versions below 1.1.20.3. The service, on the Windows services screen, appears as System Interface Services.

NCC Group demonstration of how the failure works.

The first failure is due to the need for ImController to be able to install files downloaded from Lenovo servers, it has system privileges, which allow the execution and full control of Windows.

Due to the need to download these files, ImController opens several derived processes, all with system privileges, but which due to a failure in communication and authentication of the service, end up not being validated, thus allowing maliciously injected processes to pass through as derivatives of ImController can run on the machine.

The second failure occurs in the time of checking and in the time of use, which allows attackers to paralyze the process of installing a plugin or valid ImControllerService file and replace it with a data package of your choice, which as you go through the installation process will have its privileges scaled.

All Lenovo notebook or desktop users who are running a version lower than 1.1.20.2 of ImControllerService should update the service immediately.

To identify which version your computer is currently running, follow these steps:

Open Windows file explorer and go to C:WindowsLenovoImControllerPluginHost;

Right-click Lenovo.Modern.ImController.PluginHost.exe and select properties;

Click on the Details tab and check the version.

Finally, the removal of both the component and the Lenovo System Interface Foundation is not recommended as it may result in loss of function of the branded computers.

Source: NCC Group