Skip to main content

Thinkpad 10 Ella 2 Bios CVE-2016-8222

MEDIUM
Improper Access Control (CWE-284)
2016-11-30 psirt@lenovo.com
Microsoft Denial Of Service Authentication Bypass Thinkpad 10 Ella 2 Bios Thinkpad 11E Beema Bios Thinkpad 11E Braswell Bios Thinkpad 11E Broadwell Bios Thinkpad 11E Skylake Bios Thinkpad 13E Bios Thinkpad E450 Bios Thinkpad E450C Bios Thinkpad E455 Bios Thinkpad E460 Bios Thinkpad E465 Bios Thinkpad E550 Bios Thinkpad E550C Bios Thinkpad E555 Bios Thinkpad E560 Bios Thinkpad E565 Bios Thinkpad Edge E440 Bios Thinkpad Edge E445 Bios Thinkpad Edge E540 Bios Thinkpad Edge E545 Bios Thinkpad Helix 20Cg Bios Thinkpad Helix 20Ch Bios Thinkpad L440 Bios Thinkpad L450 Bios Thinkpad L460 Bios Thinkpad L540 Bios Thinkpad L560 Bios Thinkpad P50 Bios Thinkpad P50S Bios Thinkpad P70 Bios Thinkpad S1 Yoga 12 Bios Thinkpad S1 Yoga Non Vpro Bios Thinkpad S1 Yoga Vpro Bios Thinkpad S3 S440 Bios Thinkpad S3 Yoga 14 Bios Thinkpad S5 E560P Bios Thinkpad S5 Yoga 15 Bios Thinkpad S540 Bios Thinkpad T440 Bios Thinkpad T440P Bios Thinkpad T440S Bios Thinkpad T440U Bios Thinkpad T450 Bios Thinkpad T450S Bios Thinkpad T460 Bios Thinkpad T460P Bios Thinkpad T460S Bios Thinkpad T540 Bios Thinkpad T540P Bios Thinkpad T550 Bios Thinkpad T560 Bios Thinkpad Tablet 10 Bios Thinkpad Tablet 8 Bios Thinkpad W540 Bios Thinkpad W541 Bios Thinkpad W550S Bios Thinkpad X1 Carbon 20Ax Bios Thinkpad X1 Carbon 20Bx Bios Thinkpad X1 Carbon Bios Thinkpad X1 Tablet Bios Thinkpad X1 Yoga Bios Thinkpad X140E Amd Bios Thinkpad X240 Bios Thinkpad X240S Bios Thinkpad X250 Broadwell Bios Thinkpad X250 Sharkbay Bios Thinkpad X260 Bios Thinkpad Yoga 11E Beema Bios Thinkpad Yoga 11E Bios Thinkpad Yoga 11E Braswell Bios Thinkpad Yoga 11E Broadwell Bios Thinkpad Yoga 11E Skylake Bios Thinkpad Yoga 14 460 S3 Bios Thinkpad Yoga 260 S1 Bios
4.4
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 30, 2016 - 15:59 cve.org
MEDIUM 4.4

DescriptionCVE.org

A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow certain BIOS variables or settings to be altered (such as boot sequence). The setting or changing of BIOS passwords is not affected by this vulnerability.

AnalysisAI

A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-284. A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow certain BIOS variables or settings to be altered (such as boot sequence). The setting or changing of BIOS passwords is not affected by this vulnerability. Affected products include: Lenovo Thinkpad 10 Ella 2 Bios, Lenovo Thinkpad 11E Beema Bios, Lenovo Thinkpad 11E Braswell Bios, Lenovo Thinkpad 11E Broadwell Bios, Lenovo Thinkpad 11E Skylake Bios.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2016-8222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy