Your Lenovo laptop firmware has 2 serious vulnerabilities

Not all PC vulnerabilities are due to Microsoft. Sometimes the software bundled with a laptop can introduce its own serious issues.

Security researchers have discovered that the management software built into the Lenovo Yoga and Lenovo ThinkPad range of laptops can open up your device to being exploited.

They discovered two vulnerabilities in the ImControllerService service that could be exploited to obtain privilege escalation and thereby control of the system.

The vulnerabilities are:

CVE-2021-3922: A race condition vulnerability has been reported in IMController, a software component of the Lenovo System Interface Foundation, which could allow a local attacker to connect and interact with the named pipe of the IMController child process.

CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability has been reported in IMController, a software component of the Lenovo System Interface Foundation, which could allow a local attacker to elevate privileges.

While the vulnerabilities are local exploits, attackers often chain together exploits to ultimately take control of your PC, meaning even local exploits need to be patched.

Fortunately, Lenovo has an update available to the Lenovo System Interface Foundation’s IMController component which takes it to version 1.1.20.3 and which fixes the issue.

The update will either be automatically pushed out or you can trigger the update manually by restarting your computer or restarting the “System Interface Foundation Service”.

To check if you already have the latest version of Lenovo IMController:

• Open File Explorer and go to C: \ Windows \ Lenovo \ ImController \ PluginHost \
• Right-click Lenovo.Modern.ImController.PluginHost.exe and select Properties.
• Click on the Details tab.
• Read the version of the file.

via WBI