Do you own a Lenovo Yoga or ThinkPad laptop? If so be advised that a pair of critical security flaws have recently been found that could allow an attacker Admin level access to your machine.
The flaws are centered in the IMControllerService and are being tracked as CVE-2021-3922 and CVE-2021-3969. They impact all Lenovo System Interface Foundations versions below 1.1.20.3.
According to the Windows description of the service:
“The Lenovo System Interface Foundation Service provides interfaces for key features such as: system power management, system optimization, driver and application updates, and system settings to Lenovo applications including Lenovo Companion, Lenovo Settings and Lenovo ID.”
Unfortunately, that means that simply disabling the service is not an option. Since it is so tightly woven into the fabric of these machines disabling it will essentially render your laptop nonfunctional. At the very least it may stop several key features of your machine from working properly.
Researchers from NCC Group who discovered the vulnerabilities explain them this way:
“The first vulnerability is a race condition between an attacker and the parent process connecting to the child process’ named pipe.
An attacker using high-performance filesystem synchronization routines can reliably win the race with the parent process to connect to the named pipe.”
They went on to explain that the second flaw was centered around a “time of check to time of use” vulnerability. That allows an attacker to interrupt the loading process of a validated ImControllerService plugin and replace it with a DLL of the attacker’s choosing.
The good news is that Lenovo moved quickly and as of December 14th, 2021 the issue has been resolved. If you have one of the laptops mentioned above or some other model that makes use of the ImControllerService be sure to download the latest updates from Lenovo in to plug the hole in your machine’s security. Kudos to Lenovo for their swift response!
