Firmware Security Flaw in Lenovo Notebooks
CVE-2021-3971

6.7MEDIUM

Key Information:

Vendor: Lenovo
Status: Notebook BiOS
Vendor: CVE Published:; 22 April 2022

Summary

A security vulnerability in Lenovo Notebook devices arises from a driver associated with legacy manufacturing processes that was mistakenly included in the BIOS image. This flaw permits attackers with necessary privileges to alter the firmware protection region by modifying an NVRAM variable, potentially compromising the integrity and security of the affected systems. Users of impacted models are advised to implement available security updates promptly.

Affected Version(s)

Notebook BIOS various

References

https://support.lenovo.com/us/en/product_security/LEN-73440

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2022
Vulnerability Reserved
Nov 17, 2021

Credit

Lenovo thanks Martin Smolár from ESET for reporting this issue.