Vulnerability CVE-2019-6171

Vulnerability CVE-2019-6171

Published: 2019-08-19

Description:

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.2/10	10/10	3.9/10

Exploit range	Attack complexity	Authentication
Local	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Complete	Complete	Complete

Affected software
Lenovo -> 20lx firmware
Lenovo -> 20nt firmware
Lenovo -> 337x firmware
Lenovo -> 20b3 firmware
Lenovo -> 20de firmware
Lenovo -> 20ex firmware
Lenovo -> 20ga firmware
Lenovo -> 20j4 firmware
Lenovo -> 20km firmware
Lenovo -> 20m5 firmware
Lenovo -> 20nu firmware
Lenovo -> 343x firmware
Lenovo -> 20a7 firmware
Lenovo -> 20b6 firmware
Lenovo -> 20df firmware
Lenovo -> 20ey firmware
Lenovo -> 20gb firmware
Lenovo -> 20j5 firmware
Lenovo -> 20kn firmware
Lenovo -> 20m6 firmware
Lenovo -> 230x firmware
Lenovo -> 344x firmware
Lenovo -> 20a8 firmware
Lenovo -> 20b7 firmware
Lenovo -> 20dg firmware
Lenovo -> 20f1 firmware
Lenovo -> 20h1 firmware
Lenovo -> 20j6 firmware
Lenovo -> 20kq firmware
Lenovo -> 20m7 firmware
Lenovo -> 232x firmware
Lenovo -> 34xx firmware
Lenovo -> 20a9 firmware
Lenovo -> 20be firmware
Lenovo -> 20dh firmware
Lenovo -> 20f2 firmware
Lenovo -> 20h2 firmware
Lenovo -> 20j7 firmware
Lenovo -> 20ks firmware
Lenovo -> 20m8 firmware
Lenovo -> 233x firmware
Lenovo -> 3xxx firmware
Lenovo -> 20aa firmware
Lenovo -> 20bf firmware
Lenovo -> 20dj firmware
Lenovo -> 20f5 firmware
Lenovo -> 20h4 firmware
Lenovo -> 20ja firmware
Lenovo -> 20kt firmware
Lenovo -> 20mu firmware
Lenovo -> 234x firmware
Lenovo -> 20ab firmware
Lenovo -> 20bg firmware
Lenovo -> 20dq firmware
Lenovo -> 20f6 firmware
Lenovo -> 20h5 firmware
Lenovo -> 20jh firmware
Lenovo -> 20ku firmware
Lenovo -> 20mv firmware
Lenovo -> 235x firmware
Lenovo -> 20ac firmware
Lenovo -> 20bl firmware
Lenovo -> 20dr firmware
Lenovo -> 20fm firmware
Lenovo -> 20h6 firmware
Lenovo -> 20jj firmware
Lenovo -> 20kv firmware
Lenovo -> 20mw firmware
Lenovo -> 239x firmware
Lenovo -> 20aj firmware
Lenovo -> 20bm firmware
Lenovo -> 20ds firmware
Lenovo -> 20fn firmware
Lenovo -> 20h8 firmware
Lenovo -> 20jq firmware
Lenovo -> 20l2 firmware
Lenovo -> 20mx firmware
Lenovo -> 242x firmware
Lenovo -> 20ak firmware
Lenovo -> 20bu firmware
Lenovo -> 20dt firmware
Lenovo -> 20fu firmware
Lenovo -> 20hm firmware
Lenovo -> 20jr firmware
Lenovo -> 20lh firmware
Lenovo -> 20n8 firmware
Lenovo -> 243x firmware
Lenovo -> 20al firmware
Lenovo -> 20bv firmware
Lenovo -> 20e0 firmware
Lenovo -> 20fv firmware
Lenovo -> 20hn firmware
Lenovo -> 20ju firmware
Lenovo -> 20lj firmware
Lenovo -> 20n9 firmware
Lenovo -> 244x firmware
Lenovo -> 20am firmware
Lenovo -> 20bw firmware
Lenovo -> 20ef firmware
Lenovo -> 20fw firmware

References:

https://support.lenovo.com/solutions/LEN-27764

Vulnerability CVE-2019-6171

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

CWE-264

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

7.2/10

10/10

3.9/10

Local

Low

No required

Complete

Complete

Complete

Affected software

References: