Unauthorized Code Execution Vulnerability in Lenovo System x Server BIOS/UEFI
CVE-2017-3775

6.4MEDIUM

Key Information:

Vendor: Lenovo
Status: Some Lenovo Flex System And Lenovo System X Products
Vendor: CVE Published:; 4 May 2018

Summary

Certain Lenovo System x server BIOS and UEFI versions have a security flaw where, under Secure Boot mode, the firmware does not adequately authenticate signed code prior to execution. This opens a door for attackers with physical access to the system, enabling them to boot potentially harmful unsigned code. Appropriate security measures should be taken to mitigate this vulnerability.

Affected Version(s)

Some Lenovo Flex System and Lenovo System x products Affected BIOS version varies by product

References

https://support.lenovo.com/us/en/solutions/LEN-20241

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 4, 2018
Vulnerability Reserved
Dec 16, 2016