Home » News » Lenovo Service Engine (LSE) BIOS Vulnerability for Notebooks and Desktops

Dated: August 12, 2015

Description
Few Lenovo personal computers contain a vulnerability in the Lenove Service Engine. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data. The system data that LSE collected includes machine type and model, system UUID, region and date. No personally identifiable information is collected. Once this data is sent, the service is disabled automatically.

Recommendations
For Notebooks, Lenovo has released a BIOS update to disable LSE, and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10 [1]. For Desktops, Lenovo has released a utility to remove files configured by Lenovo Service Engine (LSE) on desktop systems running Windows 8 and 8.1 to follow updated security guidelines from Microsoft [2].

NUST CSIRT encourage users and administrators to follow the security guidelines provided by Lenovo.

References
[1]. https://support.lenovo.com/us/en/product_security/lse_bios_notebook
[2]. https://support.lenovo.com/us/en/product_security/lse_bios_desktop



Subscribe To Alerts

Name
Email *




Opera Mobile Store