Vulnerability CVE-2017-3740


Published: 2017-06-04

Description:
In Lenovo Active Protection System before 1.82.0.14, an attacker with local privileges could send commands to the system's embedded controller, which could cause a denial of service attack on the system or the ability to alter hardware functionality.

Vendor: Lenovo
Product: Active protection system 
Version:
1.82.0.10
1.82.0.07
1.82.0.06
1.82.0.03
1.81.0.08
1.80.8.00
1.80.3.00
1.80.11.00
1.80.1.00
1.79.0.03
1.78.0.11
1.78.0.10
1.78.0.09
1.77.0.9
1.77.0.8
1.77.0.7
1.77.0.5
1.77.0.26
1.77.0.20
1.77.0.11
1.76
1.75
1.74
1.73
1.72
1.71
1.70
1.64
1.63
1.62
1.61
1.54
1.53
1.52
1.51
1.50
1.41
1.40
1.34
1.33b
1.32
1.31
1.30b
1.23
1.22
1.21
1.20b
1.01b
1.00b

CVSS2 => (AV:L/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
6.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
https://support.lenovo.com/us/en/product_security/LEN-13637

Related CVE
CVE-2018-9066
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's under...
CVE-2018-9065
In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previ...
CVE-2018-9064
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
CVE-2018-9063
MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undef...
CVE-2017-3762
Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users...
CVE-2017-3764
A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password information of the user accounts is expo...
CVE-2017-3761
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVE-2017-3759
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.

Copyright 2018, cxsecurity.com

 

Back to Top