Two vulnerabilities were discovered by security researchers in programs that come with Lenovo laptops. These vulnerabilities allow attackers to gain admin rights. For affected devices, updates are available.
CVE-2021-3922.2 and CVE-2021-39669 are the registered numbers for these newly discovered vulnerabilities. These vulnerabilities were discovered in the software component IMControllerService. This service is pre-installed on many Lenovo ThinkPad and Lenovo Yoga devices. It also includes additional features, such as the diagnostic tool and optimization tool Lenovo Vantage. The gaps have not been officially classified.
The NCC Group has published a report that shows the vulnerability’s high threat potential. Hackers have the ability to execute code with greater privileges through these loopholes. Both vulnerabilities cannot be exploited locally. Therefore, an attacker must already have access to the computer. In practice, multiple exploits can be combined to gain access to a computer and run programs with administrator rights.
Lenovo quickly responded to the problem and released an update for the affected program. In most cases, the update should be downloaded automatically. To check the version number, go to the path “C: \ Windows \ Lenovo \ ImController \ PluginHost” and right-click to display the details of the “Lenovo.Modern.ImController.PluginHost.exe” file.