cnvd - cnvd-2017-32445

CNVD-2017-32445

Vulnerability from cnvd - Published: 2017-11-02

Title

多款Lenovo产品ElanTech Touchpad驱动程序权限提升漏洞

Description

Lenovo 300S-11IBR等都是中国联想（Lenovo）公司的笔记本电脑产品。ElanTech Touchpad driver是其中的一个触控板驱动程序。多款Lenovo产品中的ElanTech Touchpad驱动程序存在安全漏洞。攻击者可利用该漏洞以管理员权限执行代码。

Severity

高

Patch Name

多款Lenovo产品ElanTech Touchpad驱动程序权限提升漏洞的补丁

Patch Description

Lenovo 300S-11IBR等都是中国联想（Lenovo）公司的笔记本电脑产品。ElanTech Touchpad driver是其中的一个触控板驱动程序。多款Lenovo产品中的ElanTech Touchpad驱动程序存在安全漏洞。攻击者可利用该漏洞以管理员权限执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.lenovo.com/us/zh/product_security/len-14390

Reference

https://support.lenovo.com/us/en/product_security/LEN-14390

Impacted products

Name
['Lenovo Z70-80', 'Lenovo Yoga 300-11IBY', 'Lenovo Yoga 300-11IBR', 'Lenovo Flex 3-1120', 'Lenovo Flex 3-1130', 'Lenovo 300S-11IBR']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-3757"
    }
  },
  "description": "Lenovo 300S-11IBR\u7b49\u90fd\u662f\u4e2d\u56fd\u8054\u60f3\uff08Lenovo\uff09\u516c\u53f8\u7684\u7b14\u8bb0\u672c\u7535\u8111\u4ea7\u54c1\u3002ElanTech Touchpad driver\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u89e6\u63a7\u677f\u9a71\u52a8\u7a0b\u5e8f\u3002\r\n\r\n\u591a\u6b3eLenovo\u4ea7\u54c1\u4e2d\u7684ElanTech Touchpad\u9a71\u52a8\u7a0b\u5e8f\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u6267\u884c\u4ee3\u7801\u3002",
  "discovererName": "Lenovo",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.lenovo.com/us/zh/product_security/len-14390",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-32445",
  "openTime": "2017-11-02",
  "patchDescription": "Lenovo 300S-11IBR\u7b49\u90fd\u662f\u4e2d\u56fd\u8054\u60f3\uff08Lenovo\uff09\u516c\u53f8\u7684\u7b14\u8bb0\u672c\u7535\u8111\u4ea7\u54c1\u3002ElanTech Touchpad driver\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u89e6\u63a7\u677f\u9a71\u52a8\u7a0b\u5e8f\u3002\r\n\r\n\u591a\u6b3eLenovo\u4ea7\u54c1\u4e2d\u7684ElanTech Touchpad\u9a71\u52a8\u7a0b\u5e8f\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eLenovo\u4ea7\u54c1ElanTech Touchpad\u9a71\u52a8\u7a0b\u5e8f\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Lenovo Z70-80",
      "Lenovo Yoga 300-11IBY",
      "Lenovo Yoga 300-11IBR",
      "Lenovo Flex 3-1120",
      "Lenovo Flex 3-1130",
      "Lenovo 300S-11IBR"
    ]
  },
  "referenceLink": "https://support.lenovo.com/us/en/product_security/LEN-14390",
  "serverity": "\u9ad8",
  "submitTime": "2017-09-08",
  "title": "\u591a\u6b3eLenovo\u4ea7\u54c1ElanTech Touchpad\u9a71\u52a8\u7a0b\u5e8f\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2017-3757 (GCVE-0-2017-3757)

Vulnerability from cvelistv5 – Published: 2017-08-28 20:00 – Updated: 2024-09-16 23:36

Summary

An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.

Severity ?

No CVSS data available.

CWE

Privilege escalation

Assigner

lenovo

References

URL

Tags

https://support.lenovo.com/us/en/product_security…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Lenovo Group Ltd.	Lenovo ElanTech Touchpad driver	Affected: various versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:39:39.686Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.lenovo.com/us/en/product_security/LEN-14390"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Lenovo ElanTech Touchpad driver",
          "vendor": "Lenovo Group Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "various versions"
            }
          ]
        }
      ],
      "datePublic": "2017-08-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege escalation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-28T19:57:01",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.lenovo.com/us/en/product_security/LEN-14390"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "DATE_PUBLIC": "2017-08-24T00:00:00",
          "ID": "CVE-2017-3757",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Lenovo ElanTech Touchpad driver",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "various versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Lenovo Group Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Privilege escalation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.lenovo.com/us/en/product_security/LEN-14390",
              "refsource": "CONFIRM",
              "url": "https://support.lenovo.com/us/en/product_security/LEN-14390"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2017-3757",
    "datePublished": "2017-08-28T20:00:00Z",
    "dateReserved": "2016-12-16T00:00:00",
    "dateUpdated": "2024-09-16T23:36:32.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-32445

CVE-2017-3757 (GCVE-0-2017-3757)

Tags

Sightings

Nomenclature