Thinkpad X380 Yoga Firmware
CVE-2021-3599
MEDIUM
Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
AnalysisAI
A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-20. A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code. Affected products include: Lenovo Thinkpad X380 Yoga Firmware, Lenovo Thinkpad X1 Fold Gen 1 Firmware, Lenovo Thinkpad Yoga 260 Firmware, Lenovo Thinkpad Yoga 11E 3Rd Gen Firmware, Lenovo Thinkpad Yoga 15 Firmware.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Thinkpad X380 Yoga Firmware
View allThe BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p, BIOS versions up to R07ET90W, and T470p,
An internal shell was included in BIOS image in some ThinkPad models that could allow escalation of privilege. Rated med
In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrar
A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local
A potential vulnerability in the SMI callback function used in the Legacy SD driver in some Lenovo ThinkPad, ThinkStatio
There is a vulnerability with the Dolby DAX2 API system services in which a low-privileged user can terminate arbitrary
A potential vulnerability in the SMI callback function used in Legacy USB driver using passed parameter without sufficie
A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in ru
A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad s
A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhan
In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. Rated low severity (CVSS 3.3), this
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today