Local Code Execution Vulnerability in LenovoFlashDeviceInterface by Lenovo
CVE-2023-2290

6.4MEDIUM

Key Information:

Vendor: Lenovo
Status: Thinkpad
Vendor: CVE Published:; 26 June 2023

Summary

A potential security vulnerability exists within the LenovoFlashDeviceInterface SMI handler that could allow an attacker with local access and elevated privileges to execute arbitrary code. This could lead to the compromise of system integrity and unauthorized access to sensitive data. Users are urged to stay informed and apply any security updates provided by Lenovo to mitigate this risk.

Affected Version(s)

ThinkPad various

References

https://support.lenovo.com/us/en/product_security/LEN-106014

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 26, 2023
Vulnerability Reserved
Apr 25, 2023

Credit

Lenovo thanks Enrique Nissim, Joseph Tartaro and Krzysztof Okupski from IOActive for reporting this issue.