A privilege elevation flaw impacting the ImControllerService service in Lenovo laptops, including ThinkPad and Yoga models, enables cybercriminals to perform commands with admin rights.
According to BleepingComputer, the vulnerabilities are identified as CVE-2021-3922 and CVE-2021-3969 and impact the ImControllerService component of all Lenovo System Interface Foundation versions below 22.214.171.124. When visualizing the Windows services screen, this service has the display name “System Interface Foundation Service.”
Lenovo System Interface Foundation includes this particular service, which allows Lenovo laptops to connect with universal apps like Lenovo Companion, Lenovo Settings, and Lenovo ID.
The Lenovo System Interface Foundation Service provides interfaces for key features such as: system power management, system optimization, driver and application updates, and system settings to Lenovo applications including Lenovo Companion, Lenovo Settings and Lenovo ID.
If you disable this service, Lenovo applications will not work properly.
The vulnerabilities were spotted by NCC Group cybersecurity researchers, who communicated their discoveries to Lenovo laptops makers on October 29, 2021.
The security patches were released by the Chinese multinational technology company on November 17, 2021, and the relevant advisory was made public on December 14, 2021.
As explained by BleepingComputer, ImController runs with SYSTEM privileges because it needs to fetch and