Local Privilege Escalation in ThinkPad Hybrid USB-C Dock Firmware Tool from Lenovo
CVE-2022-4569

7.8HIGH

Key Information:

Vendor: Lenovo
Status: Thinkpad Hybrid Usb-c With Usb-a Dock Firmware Update Tool
Vendor: CVE Published:; 5 June 2023

Summary

A vulnerability exists in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool that allows a user with local access to execute malicious code with elevated privileges during the installation or upgrade of the firmware. If compromised, this vulnerability could enable an attacker to gain increased control over the system, potentially leading to unauthorized access and further exploitation of the device.

Affected Version(s)

ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool versions prior to v1.0.35_v2

References

https://support.lenovo.com/us/en/product_security/LEN-103544

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2023
Vulnerability Reserved
Dec 16, 2022

Credit

Lenovo thanks Raphael Rosenast of Compass Security.