Unquoted Service Path in Lenovo LegionSpace 1.7.11.2 Enables Local Privilege Escalation
What Happened – A mis‑configured Windows service (DAService) in Lenovo LegionSpace 1.7.11.2 contains an unquoted executable path (C:\Program Files\Lenovo\LegionSpace\1.7.11.2\LSDaemon.exe). An attacker with local user rights can place a malicious executable in C:\Program Files\Lenovo\LegionSpace\1.7.11.2\ and have it executed with SYSTEM privileges when the service starts.
Why It Matters for TPRM –
- Local privilege escalation can be leveraged to bypass endpoint hardening and move laterally across a vendor‑managed environment.
- Third‑party devices that ship with the vulnerable version may expose client networks if not patched promptly.
- The flaw demonstrates the risk of inadequate build‑time hardening in commercial software supplied to enterprises.
Who Is Affected –
- Technology & SaaS vendors that deploy Lenovo LegionSpace on employee workstations or kiosks.
- Managed Service Providers (MSPs) that include Lenovo hardware in their service offerings.
Recommended Actions –
- Verify that any Lenovo LegionSpace installations are running version 1.8.12.13 or later.
- If older versions are present, schedule an immediate upgrade or apply a temporary mitigation (e.g., quote the service path via
sc config). - Review endpoint hardening controls (application whitelisting, least‑privilege policies) to detect unauthorized binaries in the service directory.
Technical Notes –
- Attack Vector: Unquoted Service Path (misconfiguration).
- Impact: Local code execution with SYSTEM privileges; can be a stepping stone to broader compromise.
- Mitigation: Upgrade to Lenovo LegionSpace 1.8.12.13+; alternatively, edit the service registry to quote the executable path.
- Reference: Exploit‑DB ID 52570 (https://www.exploit-db.com/exploits/52570)