| Vulnerability Name: | CVE-2015-2219 (CCN-103027) | ||||||||
| Assigned: | 2015-04-14 | ||||||||
| Published: | 2015-04-14 | ||||||||
| Updated: | 2016-12-03 | ||||||||
| Summary: | Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe. | ||||||||
| CVSS v3 Severity: | 9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C) 5.9 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
5.9 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2015-2219 Source: SECTRACK Type: UNKNOWN 1032268 Source: CONFIRM Type: Vendor Advisory http://support.lenovo.com/us/en/product_security/lsu_privilege Source: CCN Type: IOActive Web site Lenovo System Update Multiple Privilege Escalations Source: CCN Type: IOActive Security AdvisoryIOActive Security Advisory Lenovos System Update Uses a Predictable Security Token Source: MISC Type: UNKNOWN http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf Source: BID Type: UNKNOWN 74649 Source: XF Type: UNKNOWN lenovo-update-cve20152219-command-exec(103027) Source: CCN Type: Packet Storm Security [05-23-2015] Lenovo System Update Privilege Escalation Source: CCN Type: Lenovo Security Advisory: LEN-2015-011 Lenovo System Update Privilege Escalation | ||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
| BACK | |||||||||