Details of VAR-201505-0137

ID

VAR-201505-0137

CVE

CVE-2015-2219

TITLE

Lenovo System Update Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2015-002672

DESCRIPTION

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe. Lenovo System Update is prone to a local privilege-escalation vulnerability. A local attacker can exploit this vulnerability to execute arbitrary commands with SYSTEM privileges. Lenovo System Update 5.6.0.27 and prior versions are vulnerable. Lenovo System Update (formerly known as ThinkVantage System Update) is a set of system automatic update tools provided by China Lenovo (Lenovo), which includes device driver updates, Windows system patch updates, etc

Trust: 1.98

sources: NVD: CVE-2015-2219 // JVNDB: JVNDB-2015-002672 // BID: 74649 // VULHUB: VHN-80180

AFFECTED PRODUCTS

vendor:	lenovo	model:	system update	scope:	lte	version:	5.06.0027	Trust: 1.0
vendor:	lenovo	model:	system update	scope:	lt	version:	5.06.0034	Trust: 0.8
vendor:	lenovo	model:	system update	scope:	eq	version:	5.06.0027	Trust: 0.6
vendor:	lenovo	model:	system update	scope:	eq	version:	5.6.0.27	Trust: 0.3
vendor:	lenovo	model:	system update	scope:	ne	version:	5.6.34	Trust: 0.3

sources: BID: 74649 // JVNDB: JVNDB-2015-002672 // CNNVD: CNNVD-201505-099 // NVD: CVE-2015-2219

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-2219
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-2219
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201505-099
value:	HIGH
Trust: 0.6
VULHUB:	VHN-80180
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-2219
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-80180
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-80180 // JVNDB: JVNDB-2015-002672 // CNNVD: CNNVD-201505-099 // NVD: CVE-2015-2219

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-80180 // JVNDB: JVNDB-2015-002672 // NVD: CVE-2015-2219

THREAT TYPE

local

Trust: 0.9

sources: BID: 74649 // CNNVD: CNNVD-201505-099

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201505-099

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002672

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-80180

PATCH

title:	LEN-2015-011	url:	http://support.lenovo.com/us/en/product_security/lsu_privilege	Trust: 0.8
title:	systemupdate506-05-15-2015	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=56015	Trust: 0.6

sources: JVNDB: JVNDB-2015-002672 // CNNVD: CNNVD-201505-099

EXTERNAL IDS

db:	NVD	id:	CVE-2015-2219	Trust: 2.8
db:	SECTRACK	id:	1032268	Trust: 1.7
db:	BID	id:	74649	Trust: 1.4
db:	JVNDB	id:	JVNDB-2015-002672	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-099	Trust: 0.7
db:	EXPLOIT-DB	id:	41708	Trust: 0.1
db:	PACKETSTORM	id:	132019	Trust: 0.1
db:	VULHUB	id:	VHN-80180	Trust: 0.1

sources: VULHUB: VHN-80180 // BID: 74649 // JVNDB: JVNDB-2015-002672 // CNNVD: CNNVD-201505-099 // NVD: CVE-2015-2219

REFERENCES

url:	http://support.lenovo.com/us/en/product_security/lsu_privilege	Trust: 2.0
url:	http://www.ioactive.com/pdfs/lenovo_system_update_multiple_privilege_escalations.pdf	Trust: 2.0
url:	http://securitytracker.com/id/1032268	Trust: 1.7
url:	http://www.securityfocus.com/bid/74649	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2219	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2219	Trust: 0.8
url:	http://www.lenovo.com/ca/en/	Trust: 0.3

sources: VULHUB: VHN-80180 // BID: 74649 // JVNDB: JVNDB-2015-002672 // CNNVD: CNNVD-201505-099 // NVD: CVE-2015-2219

CREDITS

Michael Milvich and Sofiane Talmat of IOActive

Trust: 0.3

sources: BID: 74649

SOURCES

db:	VULHUB	id:	VHN-80180
db:	BID	id:	74649
db:	JVNDB	id:	JVNDB-2015-002672
db:	CNNVD	id:	CNNVD-201505-099
db:	NVD	id:	CVE-2015-2219

LAST UPDATE DATE

2024-11-23T21:44:17.986000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-80180	date:	2016-12-03T00:00:00
db:	BID	id:	74649	date:	2015-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2015-002672	date:	2015-05-18T00:00:00
db:	CNNVD	id:	CNNVD-201505-099	date:	2015-05-15T00:00:00
db:	NVD	id:	CVE-2015-2219	date:	2024-11-21T02:27:01.687

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-80180	date:	2015-05-12T00:00:00
db:	BID	id:	74649	date:	2015-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2015-002672	date:	2015-05-18T00:00:00
db:	CNNVD	id:	CNNVD-201505-099	date:	2015-05-13T00:00:00
db:	NVD	id:	CVE-2015-2219	date:	2015-05-12T19:59:10.587