Multiple serious vulnerabilities have been found in Lenovo System Update. Malicious users can exploit these vulnerabilities to bypass security restrictions or gain privileges.

Below is a complete list of vulnerabilities

1. Lack of command piping restrictions can be exploited locally via named pipe manipulations;
2. Lack of file signatures verification can be exploited remotely via a specially designed executable files;
3. Lack of directory permissions restrictions can be exploited locally via a files manipulations.

Lenovo System Update versions earlier than 5.06.0034

Update to the latest version
Get Lenovo System Update

IOActive advisory
Lenovo advisory