Vulnerability CVE-2017-3740


Published: 2017-06-04

Description:
In Lenovo Active Protection System before 1.82.0.14, an attacker with local privileges could send commands to the system's embedded controller, which could cause a denial of service attack on the system or the ability to alter hardware functionality.

Vendor: Lenovo
Product: Active protection system 
Version:
1.82.0.10
1.82.0.07
1.82.0.06
1.82.0.03
1.81.0.08
1.80.8.00
1.80.3.00
1.80.11.00
1.80.1.00
1.79.0.03
1.78.0.11
1.78.0.10
1.78.0.09
1.77.0.9
1.77.0.8
1.77.0.7
1.77.0.5
1.77.0.26
1.77.0.20
1.77.0.11
1.76
1.75
1.74
1.73
1.72
1.71
1.70
1.64
1.63
1.62
1.61
1.54
1.53
1.52
1.51
1.50
1.41
1.40
1.34
1.33b
1.32
1.31
1.30b
1.23
1.22
1.21
1.20b
1.01b
1.00b

CVSS2 => (AV:L/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
6.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
https://support.lenovo.com/us/en/product_security/LEN-13637

Related CVE
CVE-2018-9063
MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undef...
CVE-2017-3762
Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users...
CVE-2017-3764
A vulnerability was identified in Lenovo XClarity Administrator (LXCA) before 1.4.0 where LXCA user account names may be exposed to unauthenticated users with access to the LXCA web user interface. No password information of the user accounts is expo...
CVE-2017-3761
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVE-2017-3759
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVE-2017-3760
The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote c...
CVE-2017-3758
Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.
CVE-2015-6971
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed Lenovo executables.

Copyright 2018, cxsecurity.com

 

Back to Top