Cybercriminals can use a privilege elevation weakness in the ImControllerService service in Lenovo laptops, including ThinkPad and Yoga models, to execute commands with admin capabilities.
The vulnerabilities are listed as CVE-2021-3922 and CVE-2021-3969, and they affect the ImControllerService component of all Lenovo System Interface Foundation versions below 184.108.40.206, according to BleepingComputer. The display name of this service on the Windows services panel is “System Interface Foundation Service.”
This service is part of the Lenovo System Interface Foundation, and it allows Lenovo laptops to connect to universal programmes like Lenovo Companion, Lenovo Settings, and Lenovo ID.
The Lenovo System Interface Foundation Service connects Lenovo applications like Lenovo Companion, Lenovo Settings, and Lenovo ID to critical functionality including system power management, system optimization, driver and application updates, and system settings.
Lenovo applications will not work properly if you disable this service.
The Source for Vulnerability
The flaws were discovered by NCC Group cybersecurity researchers, who informed Lenovo laptop manufacturers of their findings on October 29, 2021.
The Chinese multinational technology corporation released the security updates on November 17, 2021, and the relevant alert was made public on December 14, 2021.
ImController requires SYSTEM capabilities to acquire and install files from Lenovo servers, start child processes, and perform system setup and maintenance activities, according to BleepingComputer.
SYSTEM privileges in Windows are the highest degree of user rights, allowing you to execute practically any command on the operating system. In Windows, acquiring SYSTEM capabilities provides a user complete control over the system, allowing them to install malware, add users, and change nearly every system option.
This Windows service will spawn new child processes, which will link with the child process using named pipe servers utilised by the ImController service. ImController will communicate with the identified pipe and send XML serialised commands that should be executed when one of these services is required to carry out a task.
Unfortunately, the service fails to safeguard communication between privileged child processes and to validate the source of XML serialised commands. This means that any other process, including malicious ones, can connect to the child process and send commands to it.
As a result, a threat actor who takes advantage of this security flaw can command the system to load a ‘plugin’ from any filesystem location.
The second problem is a time-of-check to time-of-use (TOCTOU) flaw, which allows attackers to stop a validated ImControllerService plugin from loading and replace it with whatever DLL they choose.
After the lock is removed and the loading process proceeds, the DLL is executed, resulting in privilege escalation.
Unfortunately, the service does not encrypt interactions between privileged child processes and does not verify the source of XML serialised commands. This means that any other process, including malicious ones, can communicate with the child process and issue directives.
All Windows users with Lenovo laptops or desktops running ImController version 220.127.116.11 or older are advised to upgrade to the most recent version available (18.104.22.168).
It is not explicitly recommended that you remove the ImController component, also known as the Lenovo System Interface Foundation, from your computer because it may hinder certain of your device’s functionality, even if it isn’t regarded important.