Vulnerability CVE-2017-3753


Published: 2017-08-09   Modified: 2017-08-10

Description:
A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.

Vendor: Lenovo
Product: Ideacentre 510s-23isu firmware 
Version: o2ekt24a;
Product: Yangtian mc godavari firmware 
Version: m0lkt13a;
Product: Thinkcentre m79 firmware 
Version: m0lkt12a;
Product: Thinkcentre e79 firmware 
Version: m0lkt12a;
Product: S500 firmware 
Version: m0kkt24a;
Product: Thinkcentre x1 aio firmware 
Version: m0hkt32a;
Product: S200z firmware 
Version: m09kt33a;
Product: Yangtian afh110 firmware 
Version: m05kt73a;
Product: Yangtian me/we h110 firmware 
Version: m05kt61a;
Product: Yangtian mc h110 firmware 
Version: m05kt61a;
Product: Thinkcentre e74 firmware 
Version: m05kt54a;
Product: Thinkcentre m700 firmware 
Version: m05kt54a;
Product: Thinkcentre e74s firmware 
Version: m05kt54a;
Product: Thinkcentre m4600t/s firmware 
Version: m05kt54a;
Product: Thinkcentre m600 firmware 
Version: m00kt44a;
Product: Thinkstation p310 firmware 
Version: fwkt57a;
Product: Yangtian afq150 firmware 
Version: fwkt57a;
Product: Thinkcentre m900 firmware 
Version: fwkt39a;
Product: Thinkcentre m8600t/s firmware 
Version: fwkt39a;
Product: Thinkcentre m6600 firmware 
Version: fwkt39a;
Product: Thinkcentre m6600q firmware 
Version: fwkt39a;
Product: Thinkcentre m800 firmware 
Version: fwkt39a;
Product: Thinkcentre m6600t/s firmware 
Version: fwkt39a;
Product: Thinkcentre e74z firmware 
Version: fvkt48a;
Product: Thinkcentre m700z firmware 
Version: fvkt48a;
Product: Thinkcentre m8300z firmware 
Version: fvkt42a;
Product: Thinkcentre m7300z firmware 
Version: fvkt42a;
Product: Thinkcentre m800z firmware 
Version: fvkt42a;
Product: Thinkcentre m83z (aio) firmware 
Version: fvkt42a;
Product: Thinkcentre m8350z firmware 
Version: fvkt42a;
Product: Thinkcentre m9500z firmware 
Version: fukt44a;
Product: Thinkcentre m9550z firmware 
Version: fukt44a;
Product: Thinkcentre m900z firmware 
Version: fukt39a;
Product: Thinkcentre m4500q firmware 
Version: fhkt66a;
Product: Yangtian s3040 firmware 
Version: fgkt49a;
Product: Thinkcentre e73z (aio) firmware 
Version: fgkt49a;
Product: Thinkcentre m73z (aio) firmware 
Version: fgkt46a;
Product: Thinkcentre m7250z firmware 
Version: fgkt46a;
Product: Thinkcentre m7200z firmware 
Version: fgkt46a;
Product: Thinkcentre m8250z firmware 
Version: fgkt46a;
Product: Thinkcentre m8200z firmware 
Version: fgkt46a;
Product: Thinkcentre e93z (aio) firmware 
Version: ffkt43a;
Product: Yangtian s800 firmware 
Version: ffkt43a;
Product: Yangtian afh81 firmware 
Version: fckt80a;
Product: Yangtian mc h81 firmware 
Version: fckt80a;
Product: Yangtian mf/wf h81 firmware 
Version: fckt80a;
Product: Thinkcentre m4500t/s firmware 
Version: fckt78a;
Product: M4550 id firmware 
Version: fckt78a;
Product: Thinkcentre m4500k firmware 
Version: fckt78a;
Product: Thinkcentre e73 firmware 
Version: fckt78a;
Product: Thinkcentre e73s firmware 
Version: fckt78a;
Product: 63 firmware 
Version: fckt78a;
Product: H50-30g firmware 
Version: fckt78a;
Product: M4500 firmware 
Version: fckt78a;
Product: Thinkcentre m73 firmware 
Version: fckt78a;
Product: M4500 id firmware 
Version: fckt78a;
Product: Thinkcentre m83 firmware 
Version: fbktcga;
Product: Thinkstation p300 firmware 
Version: fbktc6a;
Product: Thinkstation e32 firmware 
Version: fbktc6a;
Product: Thinkcentre m8500t/s firmware 
Version: fbktc5a;
Product: Thinkcentre e93 firmware 
Version: fbktc5a;
Product: Thinkcentre m6500t/s firmware 
Version: fbktc5a;
Product: Thinkcentre m73p firmware 
Version: fbktc5a;
Product: Thinkcentre m93p firmware 
Version: fbktc5a;
Product: Thinkcentre m93 firmware 
Version: fbktc5a;
Product: Thinkserver ts140 firmware 
Version: fbktc3a;
Product: Thinkserver ts240 firmware 
Version: fbktc3a;
Product: Thinkserver ts150 firmware 
Version: fbktc3a;
Product: Thinkserver rs140 firmware 
Version: fbkt91c;
Product: Thinkcentre edge 62z firmware 
Version: f8kt40a;
Product: Thinkcentre m72e firmware 
Version: f1kt71a;
Product: Thinkstation p900 firmware 
Version: a6kt86a;
Product: Thinkstation p700 firmware 
Version: a5kt86a;
Product: Thinkstation p500 firmware 
Version: a4kt86a;
Product: Thinkserver td340 firmware 
Version: a3tsb5a;
Product: Thinkstation d30 (4353) firmware 
Version: a3kt57a;
Product: Thinkstation d30 (4354) firmware 
Version: a3kt57a;
Product: Thinkstation s30 (4352) firmware 
Version: a2kt54a;
Product: Thinkstation s30 (4351) firmware 
Version: a2kt54a;
Product: Thinkserver rd640 firmware 
Version: a1tsb5a;
Product: Thinkserver rd540 firmware 
Version: a1tsb5a;
Product: Thinkstation c30 (1136) firmware 
Version: a1kt57a;
Product: Thinkstation c30 (1137) firmware 
Version: a1kt57a;
Product: Thinkserver rd440 firmware 
Version: a0tsb5a;
Product: Thinkstation e31 firmware 
Version: 9skt97a;
Product: Thinkcentre m92 firmware 
Version: 9skt95a;
Product: Thinkcentre m92p firmware 
Version: 9skt95a;
Product: Thinkserver rq750 firmware 
Version: 7.05;
Product: Thinkcentre m610 firmware 
Product: Thinkcentre m910t/s firmware 
Product: Thinkstation p510 firmware 
Product: Thinkstation p710 firmware 
Product: Thinkcentre m710t/s firmware 
Product: Thinkserver rd340 firmware 
Product: Yangtian mc carrizo-l firmware 
Product: Ideacentre 510s-08ish firmware 
Product: Thinkcentre m910q firmware 
Product: Thinkcentre m715q firmware 
Product: Thinkstation p410 firmware 
Product: V320-15iap firmware 

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
https://support.lenovo.com/us/en/product_security/LEN-14695

Related CVE
CVE-2019-6175
A denial of service vulnerability was reported in Lenovo System Update versions prior to 5.07.0088 that could allow configuration files to be written to non-standard locations.
CVE-2019-6182
A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas s...
CVE-2019-6181
A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaS...
CVE-2019-6180
A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the use...
CVE-2019-6179
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (...
CVE-2019-10724
There is a vulnerability with the Dolby DAX2 API system services in which a low-privileged user can terminate arbitrary processes that are running at a higher privilege. The following are affected products and versions: Legion Y520T_Z370 6.0.1.8642, ...
CVE-2019-6177
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution C...
CVE-2019-6178
An information leakage vulnerability in Iomega and LenovoEMC NAS products could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled. This does not allow read, write, delete, or any other a...

Copyright 2019, cxsecurity.com

 

Back to Top