A privilege elevation issues in Lenovo laptops, including ThinkPad and Yoga families, are affected by that resides in the ImControllerService service allowing attackers to execute commands with admin privileges. the vulnerabilities, tracked as CVE-2021-3922 and CVE-2021-3969, are a race condition vulnerability and a Time of Check Time of Use (TOCTOU) vulnerabilities.
The flaws affect the ImControllerService service (“System Interface Foundation Service”) of all Lenovo System Interface Foundation versions below 188.8.131.52. The Lenovo System Interface Foundation Service provides interfaces for multiple features, including system power management, system optimization, driver, and application updates, for this reason it is not recommended to disable it.
The ImController service comes installed on certain Lenovo devices, it runs as the SYSTEM user and periodically executes child processes that perform system configuration and maintenance tasks.
An attacker can exploit the vulnerabilities to elevate its privileges to SYSTEM and take over the vulnerable device. The vulnerability resides in the way the ImControllerService handles the execution of highly privileged child processes which allows an unprivileged attacker with local access to the system to elevate their privileges.
The flawed vulnerable component periodically starts child processes to perform tasks and each of them opens a named pipe server to which any user on the system can connect.
The researchers noticed that the child process does not validate the source of the connection, this means it will begin accepting commands from the attacker using high-performance filesystem synchronization routines after the race condition has been exploited. They developed a proof-of-concept code that never failed to connect to the named pipe before the parent service could do so.
The second issue, the time-of-check to time-of-use (TOCTOU) vulnerability, is exploited to stall the loading process and replace the validated plugin with a malicious DLL file. The DLL is executed with high privileges.
The vulnerability was reported to Lenovo by researchers on October 29, 2021, and the vendor addressed it with the release of security updates on November 17, 2021. This week the company publicly disclosed the vulnerability.