Lenovo Vantage IMController Vulnerability - ConfigMgr Query

2021-12-20 Lenovo Firmware
Share on:

Lenovo recently announced LEN-75210 where a privileged service can be vulnerable to attack. This service is used on many of their laptop and desktop classes. In this post I'll share a query to identify your systems impacted by LEN-75210

This query has the following rquirements:

  • Your ConfigMgr hardware inventory must be querying services (else we don't know if it's installed).
  • You must be gathering Software Inventory on EXE files and it must not exclude %WINDIR%. If you'd prefer not to include %WINDIR%, you can add %WINDIR%\Lenovo specifically. Without this data you won't have the version of the EXE.

Query Updated 2021-12-21 in an attempt to make it more future proof with the CASE statements.

 1select v_R_System.Name0
 2     , v_GS_SERVICE.Name0
 3     , v_GS_SERVICE.DisplayName0
 4     , v_GS_SERVICE.PathName0
 5     , v_GS_SERVICE.StartMode0
 6     , v_GS_SoftwareFile.FileName
 7     , v_GS_SoftwareFile.FilePath
 8     , v_GS_SoftwareFile.FileVersion
 9     , case when v_GS_SoftwareFile.FileVersion is null then 'No Inventory'
10            
11            -- Anything 1.0 is before 1.1.20.3
12            when v_GS_SoftwareFile.FileVersion like '1.0%' then 'Yes' 
13           
14            -- Anything 1.1.0 is before 1.1.20.3
15            when v_GS_SoftwareFile.FileVersion like '1.1.0%' then 'Yes'
16
17            -- Covers 1.1.10.x -> 1.1.19.x (all vulnerable)
18            when v_GS_SoftwareFile.FileVersion like '1.1.1_.%' then 'Yes'
19            
20            -- Covers 1.1.20.3 -> 1.1.20.99 (all safe)
21            when v_GS_SoftwareFile.FileVersion like '1.1.20.[3-9]%' then 'No'
22            
23            -- Covers 1.1.21.x -> 1.1.29.x (all safe)
24            when v_GS_SoftwareFile.FileVersion like '1.1.2[1-9].%' then 'No'
25
26            -- Covers 1.1.3.x -> 1.1.99.x (all safe)
27            when v_GS_SoftwareFile.FileVersion like '1.1.[3-9]%.%' then 'No'
28
29            -- Covers 1.2.x.x -> 1.99.x (all safe)
30            when v_GS_SoftwareFile.FileVersion like '1.[2-9]%.%' then 'No'
31
32            -- Covers 2.x.x.x -> 9.x.x.x (all safe)
33            when v_GS_SoftwareFile.FileVersion like '[2-9].%' then 'No'
34
35            -- Covers 10.x.x.x -> 99.x.x.x.x (all safe)
36            when v_GS_SoftwareFile.FileVersion like '__.%' then 'No'
37
38            -- Covers 100.x.x.x -> 999.x.x.x.x (all safe)
39            when v_GS_SoftwareFile.FileVersion like '___.%' then 'No'
40
41            -- Covers 1000.x.x.x -> 9999.x.x.x.x (all safe)
42            when v_GS_SoftwareFile.FileVersion like '____.%' then 'No'
43            
44           -- Missing something
45           else 'Update Query ...'
46       end as Vulnerable
47  from v_R_System
48  join v_GS_SERVICE
49    on v_R_System.ResourceID = v_GS_SERVICE.ResourceID
50   and v_GS_SERVICE.Name0 = 'ImControllerService'
51  left join v_GS_SoftwareFile
52    on v_R_System.ResourceID = v_GS_SoftwareFile.ResourceID
53   and v_GS_SoftwareFile.FileName = 'Lenovo.Modern.ImController.exe'
54   and v_GS_SERVICE.PathName0 like '%' + v_GS_SoftwareFile.FilePath + '%'

No comments