Recently, Lenovo announced the high-risk vulnerabilities CVE-2021-3922 and CVE-2021-3969 in the Lenovo Vantage supporting software. The above-mentioned vulnerabilities allow local privilege escalation.
The vulnerability is mainly located in the IMController component. Attackers can perform more malicious and dangerous operations after using related vulnerabilities to elevate local privileges.
CVE-2021-3922: A race condition vulnerability has been reported in IMController, a software component of the Lenovo System Interface Foundation, which could allow a local attacker to connect and interact with the named pipe of the IMController child process.
CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability has been reported in IMController, a software component of the Lenovo System Interface Foundation, which could allow a local attacker to elevate privileges.
The IMController component included in Lenovo’s pre-installed software has many negative reviews, mainly because the component sometimes takes up high hardware resources and causes the system to become stuck.
For users, if they do not need to use the software pre-installed by these manufacturers, they can also uninstall it directly. After all, as long as the uninstallation and deletion are clean, there will be no flaws.
