Potential BIOS Vulnerability in Lenovo Notebook Devices
CVE-2021-3972

6.7MEDIUM

Key Information:

Vendor: Lenovo
Status: Notebook BiOS
Vendor: CVE Published:; 22 April 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 12%

Summary

A potential vulnerability exists in the BIOS of certain Lenovo Notebook devices, where a driver used during the manufacturing process was inadvertently left active. This flaw permits an attacker with elevated privileges to alter the secure boot settings by manipulating an NVRAM variable. Such modifications could compromise the integrity of the device’s boot process, leading to unauthorized access and potential exploitation.

Affected Version(s)

Notebook BIOS various

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-3972
Created by killvxk

References

https://support.lenovo.com/us/en/product_security/LEN-73440

x_refsource_MISC

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2022
🟡
Public PoC available
Apr 21, 2022
👾
Exploit known to exist
Apr 21, 2022
Vulnerability Reserved
Nov 17, 2021

Credit

Lenovo thanks Martin Smolár from ESET for reporting this issue.