Do you own a Lenovo Yoga or ThinkPad laptop? 

If so be advised that a pair of critical security flaws have recently been found that could allow an attacker Admin level access to your machine.

The flaws are centered in the IMControllerService and are being tracked as CVE-2021-3922 and CVE-2021-3969.  They impact all Lenovo System Interface Foundations versions below 1.1.20.3.

 

According to Microsoft

"The Lenovo System Interface Foundation Service provides interfaces for key features such as: system power management, system optimization, driver and application updates, and system settings to Lenovo applications including Lenovo Companion, Lenovo Settings and Lenovo ID."

Unfortunately, that means that simply disabling the service is not an option.  Since it is so tightly woven into the fabric of these machines disabling it will essentially render your laptop nonfunctional. At the very least it may stop several key features of your machine from working properly.

NCC Group the vulnerabilities explained

"The first vulnerability is a race condition between an attacker and the parent process connecting to the child process' named pipe.

An attacker using high-performance filesystem synchronization routines can reliably win the race with the parent process to connect to the named pipe."

They went on to explain that the second flaw was centered around a "time of check to time of use" vulnerability. That allows an attacker to interrupt the loading process of a validated ImControllerService plugin and replace it with a DLL of the attacker's choosing.

 

My perspective

The good news is that Lenovo moved quickly and as of December 14th, the issue has been resolved.  If you have one of the laptops mentioned above or some other model that makes use of the ImControllerService be sure to download the latest updates from Lenovo to plug the hole in your machine's security. Kudos to Lenovo for their swift response!

 

And Emeril said: "Bam!"

 


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.

For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.

 

Contact me if you would like me to speak to your association