Sign-up

ID

VAR-201710-0056


CVE

CVE-2015-6971


TITLE

Lenovo System Update Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-008002

DESCRIPTION

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed Lenovo executables. Lenovo System Update ( Old ThinkVantage System Update) Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo System Update (formerly known as ThinkVantage System Update) is a set of system automatic update tools provided by China Lenovo (Lenovo), which includes device driver updates, Windows system patch updates, etc. A race condition vulnerability exists in versions prior to Lenovo System Update 5.06.0043. An attacker could exploit this vulnerability to run arbitrary commands with a specially crafted security token

Trust: 1.71

sources: NVD: CVE-2015-6971 // JVNDB: JVNDB-2015-008002 // VULHUB: VHN-84932

AFFECTED PRODUCTS

vendor:lenovomodel:system updatescope:lteversion:5.06.0034

Trust: 1.0

vendor:lenovomodel:system updatescope:ltversion:5.07.0013

Trust: 0.8

vendor:lenovomodel:system updatescope:eqversion:5.06.0034

Trust: 0.6

sources: JVNDB: JVNDB-2015-008002 // CNNVD: CNNVD-201511-427 // NVD: CVE-2015-6971

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6971
value: HIGH

Trust: 1.0

NVD: CVE-2015-6971
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201511-427
value: HIGH

Trust: 0.6

VULHUB: VHN-84932
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-6971
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-84932
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-6971
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-84932 // JVNDB: JVNDB-2015-008002 // CNNVD: CNNVD-201511-427 // NVD: CVE-2015-6971

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.9

sources: VULHUB: VHN-84932 // JVNDB: JVNDB-2015-008002 // NVD: CVE-2015-6971

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201511-427

TYPE

competitive condition

Trust: 0.6

sources: CNNVD: CNNVD-201511-427

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-008002

PATCH
title:LEN-2015-011url:https://support.lenovo.com/jp/en/product_security/lsu_privilege
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-008002

EXTERNAL IDS
db:NVDid:CVE-2015-6971
Trust: 2.5
db:JVNDBid:JVNDB-2015-008002
Trust: 0.8
db:CNNVDid:CNNVD-201511-427
Trust: 0.7
db:SEEBUGid:SSVID-89992
Trust: 0.1
db:VULHUBid:VHN-84932
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84932 // 
            
            
            
            JVNDB: JVNDB-2015-008002 // 
            
            
            
            CNNVD: CNNVD-201511-427 // 
            
            
            
            NVD: CVE-2015-6971

REFERENCES
url:https://support.lenovo.com/us/en/product_security/lsu_privilege
Trust: 1.7
url:https://www.trustwave.com/resources/security-advisories/advisories/twsl2015-018/?fid=7172
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6971
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2015-6971
Trust: 0.8
sources:
            
            
            VULHUB: VHN-84932 // 
            
            
            
            JVNDB: JVNDB-2015-008002 // 
            
            
            
            CNNVD: CNNVD-201511-427 // 
            
            
            
            NVD: CVE-2015-6971

SOURCES
db:VULHUBid:VHN-84932
db:JVNDBid:JVNDB-2015-008002
db:CNNVDid:CNNVD-201511-427
db:NVDid:CVE-2015-6971

LAST UPDATE DATE
2024-11-23T21:40:21.809000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-84932date:2017-10-17T00:00:00
db:JVNDBid:JVNDB-2015-008002date:2017-10-30T00:00:00
db:CNNVDid:CNNVD-201511-427date:2017-10-17T00:00:00
db:NVDid:CVE-2015-6971date:2024-11-21T02:35:58.100

SOURCES RELEASE DATE
db:VULHUBid:VHN-84932date:2017-10-03T00:00:00
db:JVNDBid:JVNDB-2015-008002date:2017-10-30T00:00:00
db:CNNVDid:CNNVD-201511-427date:2015-11-26T00:00:00
db:NVDid:CVE-2015-6971date:2017-10-03T01:29:00.637