cbcvebase.
CVE-2022-3699
published 2023-10-25

CVE-2022-3699: A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that…

PriorityP276high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.28%
89.9th percentile
A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges.

Affected

5 ranges
VendorProductVersion rangeFixed in
lenovodiagnostics< 4.45.04.45.0
lenovodiagnostics>= < 4.454.45
lenovohardwarescan_addin< 2.4.1.12.4.1.1
lenovohardwarescan_plugin< 1.3.1.21.3.1.2
lenovohardwarescanplugin>= < 1.3.1.21.3.1.2

Detection & IOCsextracted from sources · hover to see the quote

filenameRtCore64.sys
filenamegdrv.sys
  • CVE-2022-3699 affects the Lenovo Diagnostics Driver; exploit delivers arbitrary physical/virtual memory read/write via device IOCTLs, enabling privilege escalation from low-privileged user to SYSTEM by overwriting the process access token in kernel memory.
  • CVE-2022-3699 (Lenovo Mapper/Diagnostics driver) has been weaponized in BYOVD attacks to load unsigned kernel code; monitor for creation of new kernel driver services by non-administrative or unexpected processes.
  • For BlackByte BYOVD attacks, dropped vulnerable drivers follow a naming convention of eight random alphanumeric characters followed by an underscore and an iterating number value; alert on driver filenames matching this pattern.
  • Privilege escalation via vulnerable driver involves reading/writing the _EPROCESS token offset; monitor for low-privilege processes spawning with SYSTEM token after driver IOCTL activity.
  • A Metasploit module exists for CVE-2022-3699 (cve_2022_3699_lenovo_diagnostics_driver.rb); monitor for exploitation attempts using this module's IOCTL memmove technique.
  • ·CVE-2022-3699 affects Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45; versions at or above these thresholds are patched.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.