Sign-up

ID

VAR-201704-0226


CVE

CVE-2015-8109


TITLE

Lenovo System Update Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2015-007542

DESCRIPTION

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability.". Lenovo System Update ( Old ThinkVantage System Update) Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Lenovo System Update is prone to a local privilege-escalation vulnerability. A local attacker can exploit this vulnerability to gain Administrator or SYSTEM level privileges. Versions prior to Lenovo System Update 5.07.0019 are vulnerable. Lenovo System Update (formerly known as ThinkVantage System Update) is a set of system automatic update tools provided by China Lenovo (Lenovo), which includes device driver updates, Windows system patch updates, etc

Trust: 1.98

sources: NVD: CVE-2015-8109 // JVNDB: JVNDB-2015-007542 // BID: 98039 // VULHUB: VHN-86070

AFFECTED PRODUCTS

vendor:lenovomodel:system updatescope:lteversion:5.07.0013

Trust: 1.0

vendor:lenovomodel:system updatescope:ltversion:5.07.0019

Trust: 0.8

vendor:lenovomodel:system updatescope:eqversion:5.07.0013

Trust: 0.6

vendor:lenovomodel:system updatescope:eqversion:5.6.34

Trust: 0.3

vendor:lenovomodel:system updatescope:eqversion:3.14

Trust: 0.3

vendor:lenovomodel:system updatescope:eqversion:3

Trust: 0.3

vendor:lenovomodel:system updatescope:neversion:5.7.19

Trust: 0.3

sources: BID: 98039 // JVNDB: JVNDB-2015-007542 // CNNVD: CNNVD-201704-1366 // NVD: CVE-2015-8109

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8109
value: HIGH

Trust: 1.0

NVD: CVE-2015-8109
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201704-1366
value: MEDIUM

Trust: 0.6

VULHUB: VHN-86070
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-8109
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-86070
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-8109
baseSeverity: HIGH
baseScore: 7.0
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-86070 // JVNDB: JVNDB-2015-007542 // CNNVD: CNNVD-201704-1366 // NVD: CVE-2015-8109

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-86070 // JVNDB: JVNDB-2015-007542 // NVD: CVE-2015-8109

THREAT TYPE

local

Trust: 0.9

sources: BID: 98039 // CNNVD: CNNVD-201704-1366

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201704-1366

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007542

PATCH
title:LEN-2015-011url:https://support.lenovo.com/jp/ja/product_security/lsu_privilege
Trust: 0.8
title:Lenovo System Update Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69731
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-007542 // 
            
            
            
            CNNVD: CNNVD-201704-1366

EXTERNAL IDS
db:NVDid:CVE-2015-8109
Trust: 2.8
db:BIDid:98039
Trust: 1.4
db:JVNDBid:JVNDB-2015-007542
Trust: 0.8
db:CNNVDid:CNNVD-201704-1366
Trust: 0.7
db:VULHUBid:VHN-86070
Trust: 0.1
sources:
            
            
            VULHUB: VHN-86070 // 
            
            
            
            BID: 98039 // 
            
            
            
            JVNDB: JVNDB-2015-007542 // 
            
            
            
            CNNVD: CNNVD-201704-1366 // 
            
            
            
            NVD: CVE-2015-8109

REFERENCES
url:https://support.lenovo.com/us/en/product_security/lsu_privilege
Trust: 2.0
url:https://ioactive.com/pdfs/ioactive_advisory_lenovo_systemupdate-insecure-random-admin-password.pdf
Trust: 2.0
url:http://www.securityfocus.com/bid/98039
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8109
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-8109
Trust: 0.8
url:http://www.lenovo.com/ca/en/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-86070 // 
            
            
            
            BID: 98039 // 
            
            
            
            JVNDB: JVNDB-2015-007542 // 
            
            
            
            CNNVD: CNNVD-201704-1366 // 
            
            
            
            NVD: CVE-2015-8109

CREDITS
Sofiane Talmat of IOActive
Trust: 0.3
sources:
            
            
            BID: 98039

SOURCES
db:VULHUBid:VHN-86070
db:BIDid:98039
db:JVNDBid:JVNDB-2015-007542
db:CNNVDid:CNNVD-201704-1366
db:NVDid:CVE-2015-8109

LAST UPDATE DATE
2024-11-23T21:41:31.362000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-86070date:2017-04-29T00:00:00
db:BIDid:98039date:2017-05-02T00:10:00
db:JVNDBid:JVNDB-2015-007542date:2017-05-26T00:00:00
db:CNNVDid:CNNVD-201704-1366date:2017-05-02T00:00:00
db:NVDid:CVE-2015-8109date:2024-11-21T02:38:02.113

SOURCES RELEASE DATE
db:VULHUBid:VHN-86070date:2017-04-24T00:00:00
db:BIDid:98039date:2017-04-14T00:00:00
db:JVNDBid:JVNDB-2015-007542date:2017-05-26T00:00:00
db:CNNVDid:CNNVD-201704-1366date:2017-04-24T00:00:00
db:NVDid:CVE-2015-8109date:2017-04-24T06:59:00.507