Thinkpad Helix Firmware
CVE-2021-3453
MEDIUM
Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage.
AnalysisAI
Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-693. Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage. Affected products include: Lenovo Thinkpad Helix Firmware, Lenovo Thinkpad T550 Firmware, Lenovo Thinkpad W550S Firmware, Lenovo Thinkpad X1 Carbon 3Rd Gen Firmware, Lenovo Thinkpad X250 Firmware.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Thinkpad Helix Firmware
View allThe BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p, BIOS versions up to R07ET90W, and T470p,
During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI h
A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an
A potential vulnerability in the SMI callback function used in the Legacy SD driver in some Lenovo ThinkPad, ThinkStatio
A potential vulnerability in the SMI callback function used in Legacy USB driver using passed parameter without sufficie
A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in ru
A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad s
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today