Input validation error in Lenovo products - CVE-2021-4211

Vulnerability identifier: #VU62319

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-4211

CWE-ID: CWE-20

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
IdeaCentre 5-14IOB6
IdeaCentre AIO 3-22ADA6
IdeaCentre AIO 3-22IIL5
IdeaCentre AIO 3-22ITL6
IdeaCentre AIO 3-24ADA6
IdeaCentre AIO 3-24IIL5
IdeaCentre AIO 3-24ITL6
IdeaCentre AIO 3-27ITL6
IdeaCentre Creator 5-14IOB6
IdeaCentre Gaming 5-14IOB6
ThinkCentre M600
ThinkCentre M700 Thin Client M700
ThinkCentre M700
ThinkCentre M70a
ThinkCentre M710e
ThinkCentre M710q 10YC
ThinkCentre M710q
ThinkCentre M710s
ThinkCentre M710t
ThinkCentre M720e
ThinkCentre M75n
ThinkCentre M800
ThinkCentre M810z
ThinkCentre M820z
ThinkCentre M900
ThinkCentre M900x
ThinkCentre M90a Gen 2
ThinkCentre M910q
ThinkCentre M910s
ThinkCentreM910t
ThinkCentre M910x
QT M410/B415/M415
ThinkCenre E75 t/s
ThinkCentre M610
ThinkCentre M6600q/t/s
ThinkCentre M700q
ThinkCentre M8600t/s
ideacentre 510S-07ICB
ideacentre 510S-07ICK
ideacentre A340-22ICB
IdeaCentre A340-22ICK
ideacentre A340-24ICB
IdeaCentre A340-24ICK
ideacentre A540-24ICB
ideacentre A540-27ICB
Lenovo V30a-22IML
Lenovo V30a-24IML
Lenovo V410z
Lenovo V50t-13IOB G2
Lenovo V520
Lenovo V520s
Lenovo V530-15ICB
Lenovo V530-15ICR
Lenovo V530s-07ICB
Lenovo V530s-07ICR
Lenovo V540-24IWL
YANGTIAN AfQ150
YTA8900f
ThinkEdge SE30
ThinkStation P310 Workstation
ThinkStation P320 Workstation
ThinkStation P318

Software vendor:
Lenovo

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the SMI callback function within the SMBIOS event log driver. A local user can execute arbitrary code with elevated privileges.

Install updates from vendor's website.

• https://support.lenovo.com/lu/uk/product_security/LEN-77639