Local Code Execution Vulnerability in ThinkPad Models by Lenovo
CVE-2021-3843

6.7MEDIUM

Key Information:

Vendor: Lenovo
Status: Thinkpad BiOS
Vendor: CVE Published:; 12 November 2021

Summary

A potential security vulnerability exists in the System Management Interface (SMI) function related to EEPROM access on certain ThinkPad models by Lenovo. This weakness may allow an attacker with local access and elevated privileges to execute arbitrary code, potentially compromising the integrity and confidentiality of the system. Immediate action is advisable to mitigate potential risks associated with this vulnerability.

Affected Version(s)

ThinkPad BIOS various

References

https://support.lenovo.com/us/en/product_security/LEN-72619

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 12, 2021
Vulnerability Reserved
Sep 30, 2021

Credit

Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas.