Security features bypass in Lenovo products - CVE-2023-5078

Vulnerability identifier: #VU81984

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-5078

CWE-ID: CWE-254

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Lenovo

Affected software:
ThinkPad S2 Yoga Gen 8 Types 21FU China Only
ThinkPad L13 Gen 2 21AB s
ThinkPad L13 Gen 2 21AC s
ThinkPad L13 Gen 4 21FN
ThinkPad L13 Gen 4 21FQ
ThinkPad L13 Yoga Gen 2 21AD s
ThinkPad L13 Yoga Gen 2 21AE s
ThinkPad L13 Yoga Gen 4 21FR
ThinkPad L13 Yoga Gen 4 21FS
ThinkPad P14s Gen 3 21J5
ThinkPad P14s Gen 3 21J6
ThinkPad P16s Gen 1 21CK
ThinkPad P16s Gen 1 21CL
ThinkPad T14 Gen 3 21CF
ThinkPad T14 Gen 3 21CG
ThinkPad T14s Gen 3 21CQ 21CR
ThinkPad T16 Gen 1 21CH
ThinkPad T16 Gen 1 21CJ
ThinkPad S2 Gen 6 Type 21AF China Only
ThinkPad S2 Gen 8 Types 21FT Chine Only
ThinkPad S2 Yoga Gen 6 Type 21AG China Only
ThinkPad X13 Gen 3 21CM 21CN
ThinkPad L13 Gen 3 21B9 21BA
ThinkPad L13 Yoga Gen 3 21BB
ThinkPad L13 Yoga Gen 3 21BC
ThinkPad L14 Gen 3 21C5 s
ThinkPad L14 Gen 3 21C6 s
ThinkPad L14 Gen 4 21H5 s
ThinkPad L14 Gen 4 21H6 s
ThinkPad L15 Gen 3 21C7 s
ThinkPad L15 Gen 3 21C8 s
ThinkPad L15 Gen 4 21H7 s
ThinkPad L15 Gen 4 21H8 s
ThinkPad S2 Gen 7 Type 21BD
ThinkPad S2 Yoga Gen 7 Type 21BE

The vulnerability allows an attacker to compromise the affected system.

The vulnerability exists due to unspecified error in the BIOS of some Lenovo ThinkPad products. An attacker with physical access to device can tamper with BIOS firmware.

Install updates from vendor's website.

• https://support.lenovo.com/us/en/product_security/LEN-141775