Sign-up

ID

VAR-201704-0227


CVE

CVE-2015-8110


TITLE

Lenovo System Update Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2015-007541

DESCRIPTION

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by navigating to (1) "Click here to learn more" or (2) "View privacy policy" within the Tvsukernel.exe GUI application in the context of a temporary administrator account, aka a "local privilege escalation vulnerability.". Lenovo System Update ( Old ThinkVantage System Update) Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Lenovo System Update is prone to a local privilege-escalation vulnerability. A local attacker can exploit this vulnerability to gain elevated privileges. Versions prior to Lenovo System Update 5.07.0019 are vulnerable. Lenovo System Update (formerly known as ThinkVantage System Update) is a set of system automatic update tools provided by China Lenovo (Lenovo), which includes device driver updates, Windows system patch updates, etc

Trust: 1.98

sources: NVD: CVE-2015-8110 // JVNDB: JVNDB-2015-007541 // BID: 98037 // VULHUB: VHN-86071

AFFECTED PRODUCTS

vendor:lenovomodel:system updatescope:lteversion:5.07.0013

Trust: 1.0

vendor:lenovomodel:system updatescope:ltversion:5.07.0019

Trust: 0.8

vendor:lenovomodel:system updatescope:eqversion:5.07.0013

Trust: 0.6

vendor:lenovomodel:system updatescope:eqversion:5.6.34

Trust: 0.3

vendor:lenovomodel:system updatescope:eqversion:5.6.0.28

Trust: 0.3

vendor:lenovomodel:system updatescope:eqversion:5.6.0.27

Trust: 0.3

vendor:lenovomodel:system updatescope:eqversion:3.14

Trust: 0.3

vendor:lenovomodel:system updatescope:eqversion:3

Trust: 0.3

vendor:lenovomodel:system updatescope:neversion:5.7.19

Trust: 0.3

sources: BID: 98037 // JVNDB: JVNDB-2015-007541 // CNNVD: CNNVD-201704-1365 // NVD: CVE-2015-8110

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8110
value: HIGH

Trust: 1.0

NVD: CVE-2015-8110
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201704-1365
value: HIGH

Trust: 0.6

VULHUB: VHN-86071
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-8110
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-86071
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-8110
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-86071 // JVNDB: JVNDB-2015-007541 // CNNVD: CNNVD-201704-1365 // NVD: CVE-2015-8110

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-86071 // JVNDB: JVNDB-2015-007541 // NVD: CVE-2015-8110

THREAT TYPE

local

Trust: 0.9

sources: BID: 98037 // CNNVD: CNNVD-201704-1365

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201704-1365

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007541

PATCH
title:LEN-2015-011url:https://support.lenovo.com/jp/ja/product_security/lsu_privilege
Trust: 0.8
title:Lenovo System Update Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69730
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-007541 // 
            
            
            
            CNNVD: CNNVD-201704-1365

EXTERNAL IDS
db:NVDid:CVE-2015-8110
Trust: 2.8
db:BIDid:98037
Trust: 1.4
db:JVNDBid:JVNDB-2015-007541
Trust: 0.8
db:CNNVDid:CNNVD-201704-1365
Trust: 0.7
db:VULHUBid:VHN-86071
Trust: 0.1
sources:
            
            
            VULHUB: VHN-86071 // 
            
            
            
            BID: 98037 // 
            
            
            
            JVNDB: JVNDB-2015-007541 // 
            
            
            
            CNNVD: CNNVD-201704-1365 // 
            
            
            
            NVD: CVE-2015-8110

REFERENCES
url:https://support.lenovo.com/us/en/product_security/lsu_privilege
Trust: 2.0
url:https://ioactive.com/pdfs/ioactive_advisory_lenovo_tvsukernel-escalation-privileges.pdf
Trust: 2.0
url:http://www.securityfocus.com/bid/98037
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8110
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-8110
Trust: 0.8
url:http://www.lenovo.com/ca/en/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-86071 // 
            
            
            
            BID: 98037 // 
            
            
            
            JVNDB: JVNDB-2015-007541 // 
            
            
            
            CNNVD: CNNVD-201704-1365 // 
            
            
            
            NVD: CVE-2015-8110

CREDITS
Sofiane Talmat of IOActive
Trust: 0.3
sources:
            
            
            BID: 98037

SOURCES
db:VULHUBid:VHN-86071
db:BIDid:98037
db:JVNDBid:JVNDB-2015-007541
db:CNNVDid:CNNVD-201704-1365
db:NVDid:CVE-2015-8110

LAST UPDATE DATE
2024-11-23T22:26:47.499000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-86071date:2017-04-28T00:00:00
db:BIDid:98037date:2017-05-02T00:10:00
db:JVNDBid:JVNDB-2015-007541date:2017-05-26T00:00:00
db:CNNVDid:CNNVD-201704-1365date:2017-05-02T00:00:00
db:NVDid:CVE-2015-8110date:2024-11-21T02:38:02.247

SOURCES RELEASE DATE
db:VULHUBid:VHN-86071date:2017-04-24T00:00:00
db:BIDid:98037date:2017-04-24T00:00:00
db:JVNDBid:JVNDB-2015-007541date:2017-05-26T00:00:00
db:CNNVDid:CNNVD-201704-1365date:2017-04-24T00:00:00
db:NVDid:CVE-2015-8110date:2017-04-24T06:59:00.540