Skip to main content

Ideacentre 300 20Ish Firmware CVE-2017-3753

MEDIUM
Code Injection (CWE-94)
2017-08-10 psirt@lenovo.com
RCE Code Injection Lenovo Ideacentre 300 20Ish Firmware Ideacentre 300S 11Ish Firmware Ideacentre 510S 08Ish Firmware Ideacentre 700 Firmware 63 Firmware H50 30G Firmware M4500 Firmware M4500 Id Firmware M4550 Id Firmware S500 Firmware V320 15Iap Firmware Thinkcentre E73 Firmware Thinkcentre E73S Firmware Thinkcentre E74 Firmware Thinkcentre E74S Firmware Thinkcentre E75 T S Firmware Thinkcentre E79 Firmware Thinkcentre E93 Firmware Thinkcentre M4500K Firmware Thinkcentre M4500Q Firmware Thinkcentre M4500T S Firmware Thinkcentre M4600T S Firmware Thinkcentre M600 Firmware Thinkcentre M610 Firmware Thinkcentre M6500T S Firmware Thinkcentre M6600 Firmware Thinkcentre M6600Q Firmware Thinkcentre M6600T S Firmware Thinkcentre M700 Firmware Thinkcentre M710T S Firmware Thinkcentre M715Q Firmware Thinkcentre M72E Firmware Thinkcentre M73 Firmware Thinkcentre M73P Firmware Thinkcentre M79 Firmware Thinkcentre M800 Firmware Thinkcentre M83 Firmware Thinkcentre M8500T S Firmware Thinkcentre M8600T S Firmware Thinkcentre M900 Firmware Thinkcentre M910T S Firmware Thinkcentre M910Q Firmware Thinkcentre M910X Firmware Thinkcentre M92 Firmware Thinkcentre M92P Firmware Thinkcentre M93 Firmware Thinkcentre M93P Firmware Yangtian Afh110 Firmware Yangtian Afh81 Firmware Yangtian Afq150 Firmware Yangtian Mc Carrizo L Firmware Yangtian Mc Godavari Firmware Yangtian Mc H110 Firmware Yangtian Mc H81 Firmware Yangtian Me We H110 Firmware Yangtian Mf Wf H81 Firmware Ideacentre 510S 23Isu Firmware S200Z Firmware Thinkcentre E73Z Aio Firmware Thinkcentre E74Z Firmware Thinkcentre E93Z Aio Firmware Thinkcentre Edge 62Z Firmware Thinkcentre M700Z Firmware Thinkcentre M7200Z Firmware Thinkcentre M7250Z Firmware Thinkcentre M7300Z Firmware Thinkcentre M73Z Aio Firmware Thinkcentre M800Z Firmware Thinkcentre M810Z Firmware Thinkcentre M8200Z Firmware Thinkcentre M8250Z Firmware Thinkcentre M8300Z Firmware Thinkcentre M8350Z Firmware Thinkcentre M83Z Aio Firmware Thinkcentre M900Z Firmware Thinkcentre M9500Z Firmware Thinkcentre M9550Z Firmware Thinkcentre X1 Aio Firmware Yangtian S3040 Firmware Yangtian S800 Firmware Thinkserver Rd340 Firmware Thinkserver Rd440 Firmware Thinkserver Rd540 Firmware Thinkserver Rd640 Firmware Thinkserver Rq750 Firmware Thinkserver Rs140 Firmware Thinkserver Td340 Firmware Thinkserver Ts140 Firmware Thinkserver Ts150 Firmware Thinkserver Ts240 Firmware Thinkserver Ts250 Firmware Thinkserver Ts450 Firmware Thinkserver Ts550 Firmware Thinkstation C30 1136 Firmware Thinkstation D30 4353 Firmware Thinkstation E31 Firmware Thinkstation E32 Firmware Thinkstation P300 Firmware Thinkstation P310 Firmware Thinkstation P320 Firmware Thinkstation P410 Firmware Thinkstation P500 Firmware Thinkstation P510 Firmware Thinkstation P700 Firmware Thinkstation P710 Firmware Thinkstation P900 Firmware Thinkstation P910 Firmware Thinkstation S30 4351 Firmware Thinkstation C30 1137 Firmware Thinkstation S30 4352 Firmware Thinkstation D30 4354 Firmware
6.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 10, 2017 - 00:29 cve.org
MEDIUM 6.8

DescriptionCVE.org

A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.

AnalysisAI

A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. Affected products include: Lenovo Ideacentre 300-20Ish Firmware, Lenovo Ideacentre 300S-11Ish Firmware, Lenovo Ideacentre 510S-08Ish Firmware, Lenovo Ideacentre 700 Firmware, Lenovo 63 Firmware.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

Share

CVE-2017-3753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy