Man-in-the-middle attack in Lenovo Service Framework

#VU8858 Man-in-the-middle attack in Lenovo Service Framework

Cybersecurity Help s.r.o.

Published: 2017-10-18

Vulnerability identifier: #VU8858

Vulnerability risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3759

CWE-ID: CWE-300

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Lenovo Service Framework
Client/Desktop applications / Other client software

Vendor: Lenovo

Description
The vulnerability allows a remote attacker to conduct MITM-attack.

The weakness exists due to the LSF application accepts some responses from the server without proper validation. A remote attacker can use man-in-the-middle techniques and possibly execute arbitrary code on the target device.

Mitigation
Update to version 4.8.0.2403.

Vulnerable software versions

Lenovo Service Framework: All versions

External links
http://support.lenovo.com/ua/en/product_security/len-15374

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Remote code execution in Lenovo Service Framework