CVE-2022-0192
📋 TL;DR
This DLL search path vulnerability in Lenovo PCManager allows attackers to place malicious DLLs in directories searched by the application, potentially leading to privilege escalation. It affects users running Lenovo PCManager versions prior to 4.0.40.2175 on Windows systems. Attackers could execute arbitrary code with elevated privileges if they can place DLLs in accessible locations.
💻 Affected Systems
- Lenovo PCManager
📦 What is this software?
Pcmanager by Lenovo
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM/administrator privileges, allowing installation of persistent malware, credential theft, and complete control of the affected system.
Likely Case
Local privilege escalation from standard user to administrator/SYSTEM privileges, enabling further lateral movement within the network.
If Mitigated
Limited impact if proper application whitelisting and DLL search path restrictions are enforced, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires local access to place malicious DLLs in directories searched by PCManager. No public exploit code has been reported.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.40.2175 and later
Vendor Advisory: https://iknow.lenovo.com.cn/detail/dc_201470.html
Restart Required: Yes
Instructions:
1. Open Lenovo PCManager. 2. Check for updates in settings. 3. Install version 4.0.40.2175 or later. 4. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict DLL search paths
windowsUse Windows policies to restrict DLL search paths and prevent loading from untrusted directories
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
Remove vulnerable software
windowsUninstall Lenovo PCManager if not required for system functionality
appwiz.cpl
Select Lenovo PCManager and click Uninstall
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized DLLs
- Restrict user permissions to prevent DLL placement in vulnerable directories
🔍 How to Verify
Check if Vulnerable:
Check Lenovo PCManager version in Settings > About. If version is below 4.0.40.2175, the system is vulnerable.Check Version:
wmic product where name="Lenovo PCManager" get versionVerify Fix Applied:
Confirm Lenovo PCManager version is 4.0.40.2175 or higher after update installation.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Process Monitor logs showing PCManager loading DLLs from user-writable directories
Network Indicators:
- No specific network indicators as this is local exploitation
SIEM Query:
EventID=7 OR EventID=11 AND ProcessName="PCManager.exe" AND ImageLoaded contains ".dll" AND NOT ImageLoaded contains "C:\Windows\"