Insufficient Validation in Lenovo Notebook BIOS Allows Code Execution
CVE-2021-3970

6.7MEDIUM

Key Information:

Vendor: Lenovo
Status: Notebook BiOS
Vendor: CVE Published:; 22 April 2022

Summary

A potential security issue has been identified in the BIOS of certain Lenovo Notebook models, where insufficient validation in the LenovoVariable SMI Handler could permit an attacker with local access and elevated privileges to execute arbitrary code. This risk emphasizes the need for users to ensure their systems are updated and configured securely to prevent unauthorized code execution.

Affected Version(s)

Notebook BIOS various

References

https://support.lenovo.com/us/en/product_security/LEN-73440

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2022
Vulnerability Reserved
Nov 17, 2021

Credit

Lenovo thanks Martin Smolár from ESET for reporting this issue.