Vulnerability CVE-2017-3740


Published: 2017-06-04

Description:
In Lenovo Active Protection System before 1.82.0.14, an attacker with local privileges could send commands to the system's embedded controller, which could cause a denial of service attack on the system or the ability to alter hardware functionality.

Vendor: Lenovo
Product: Active protection system 
Version:
1.82.0.10
1.82.0.07
1.82.0.06
1.82.0.03
1.81.0.08
1.80.8.00
1.80.3.00
1.80.11.00
1.80.1.00
1.79.0.03
1.78.0.11
1.78.0.10
1.78.0.09
1.77.0.9
1.77.0.8
1.77.0.7
1.77.0.5
1.77.0.26
1.77.0.20
1.77.0.11
1.76
1.75
1.74
1.73
1.72
1.71
1.70
1.64
1.63
1.62
1.61
1.54
1.53
1.52
1.51
1.50
1.41
1.40
1.34
1.33b
1.32
1.31
1.30b
1.23
1.22
1.21
1.20b
1.01b
1.00b

CVSS2 => (AV:L/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
6.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
https://support.lenovo.com/us/en/product_security/LEN-13637

Related CVE
CVE-2018-9081
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add ...
CVE-2018-9077
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the share : name parameter. As a result, arbitra...
CVE-2018-9076
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. As a result, arbitrary comma...
CVE-2018-9075
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arb...
CVE-2018-9074
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file upload functionality of the Content Explorer application is vulnerable to path traversal. As a result, users can upload files anywhere on the device's operati...
CVE-2018-9066
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's under...
CVE-2018-9065
In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previ...
CVE-2018-9064
In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.

Copyright 2018, cxsecurity.com

 

Back to Top