Vulnerability CVE-2018-9069

Vulnerability CVE-2018-9069

Published: 2018-10-02

Description:

In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adequately protected against, potentially allowing an attacker with administrator access to alter the contents of BIOS.

Type:

CWE-362

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:C)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7/10	7.8/10	6.8/10

Exploit range	Attack complexity	Authentication
Remote	Medium	Single time
Confidentiality impact	Integrity impact	Availability impact
None	Partial	Complete

Affected software
HP -> 710s plus-3ikb firmware
HP -> Lenovo ideapad 320s-14ikbr firmware
HP -> Nano110-15ikb firmware
HP -> Y520-15ikbn firmware
HP -> 710s plus touch-13ikb firmware
HP -> Lenovo ideapad 320s-15ikbr firmware
HP -> R720-15ikba firmware
HP -> Y720-15ikb firmware
HP -> 320-17ikbrn
HP -> 720s-13ikb firmware
HP -> Lenovo ideapad 520s-14ikbr firmware
HP -> R720-15ikbn firmware
HP -> Yoga 310-11iap firmware
HP -> 320s-14ikb
HP -> 720s-14ikbr firmware
HP -> Lenovo ideapad 720s-14ikb firmware
HP -> Rescuer r720-15ikbm firmware
HP -> Yoga 510-14isk firmware
HP -> Miix 720-12ikb
HP -> B320-14ikb firmware
HP -> Lenovo ideapad flex 5-1470 firmware
HP -> Rescuer y520-15ikbm firmware
HP -> Yoga 520-14ikb firmware
HP -> 310s-14isk firmware
HP -> E42-80 firmware
HP -> Lenovo ideapad flex 5-1570 firmware
HP -> V310-14ikb firmware
HP -> Yoga 720-13ikb firmware
HP -> 320-15ikbra firmware
HP -> E43-80 kbl firmware
HP -> Lenovo ideapad y520-15ikbn firmware
HP -> V310-14isk firmware
HP -> Yoga 720-13ikbr firmware
HP -> 320-15ikbrn firmware
HP -> E52-80 firmware
HP -> Lenovo tianyi 310-14ikb firmware
HP -> V310-15ikb firmware
HP -> Yoga 720-15ikb firmware
HP -> 320-15ikbrn touch firmware
HP -> Flex 4-1470 firmware
HP -> Lenovo tianyi 310-15ikb firmware
HP -> V310-15isk firmware
HP -> Zhaoyang k42-80 firmware
HP -> 320s-15ikb firmware
HP -> Flex 5-1470 firmware
HP -> Lenovo v720-14 firmware
HP -> V330-14ikb firmware
HP -> 320s-15isk firmware
HP -> Flex 5-1570 firmware
HP -> Lenovo y520-15ikba firmware
HP -> V330-14isk firmware
HP -> 510s-14isk firmware
HP -> Ideapad 2in1 14 firmware
HP -> Lenovo y520-15ikbm firmware
HP -> V510-14ikb firmware
HP -> 520-15ikbrn firmware
HP -> Lenovo ideapad 320-14ikb(i+a) firmware
HP -> Lenovo y720-15ikb firmware
HP -> V510-15ikb firmware
HP -> 520s-14ikb firmware
HP -> Lenovo ideapad 320-14ikb(i+n) firmware
HP -> Lenovo yoga 520-14ikb firmware
HP -> Xiaoxinair13ikbpro firmware
HP -> 7000-15 u42 firmware
HP -> Lenovo ideapad 320-15abr firmware
HP -> Lenovo yoga 520-15ikb firmware
HP -> Xx chao5000-ikbra firmware
HP -> 7000 u42 firmware
HP -> Lenovo ideapad 320-15ikb(i+n) firmware
HP -> Nano110-14ikb firmware
HP -> Y520-15ikba firmware
HP -> 710s plus-13ikb 16g firmware

References:

https://support.lenovo.com/us/en/solutions/LEN-20184

Vulnerability CVE-2018-9069

In some Lenovo IdeaPad consumer notebook models, a race condition in the BIOS flash device locking mechanism is not adequately protected against, potentially allowing an attacker with administrator access to alter the contents of BIOS.

CWE-362

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:C)

7/10

7.8/10

6.8/10

Remote

Medium

Single time

None

Partial

Complete

Affected software

References: