#VU62365 Security restrictions bypass in Lenovo products - CVE-2021-3971
Published: April 18, 2022
Vulnerability identifier: #VU62365
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-3971
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
IdeaPad 3 15ADA05
IdeaPad 3-14ADA05
IdeaPad 3-14ADA6
IdeaPad 3-14ALC6
IdeaPad 3-14ARE05
IdeaPad 3-15ADA6
IdeaPad 3-15ALC6
IdeaPad 3-15ARE05
IdeaPad 3-15IGL05
IdeaPad 3-17ADA05
IdeaPad 3-17ADA6
IdeaPad 3-17ALC6
IdeaPad 3-17ARE05
IdeaPad 3-17IIL05
ideapad L3-15ITL6
ideapad L340-15IRH Gaming
ideapad L340-15IWL
ideapad L340-15IWL Touch
ideapad L340-17IRH Gaming
ideapad L340-17IWL
Lenovo Legion 5 Pro-16ACH6
Lenovo Legion 5 Pro-16ACH6H
Lenovo Legion 5 Pro-16ITH6
Lenovo Legion 5 Pro-16ITH6H
Lenovo Legion 5-15ACH6
Lenovo Legion 5-15ACH6A
Lenovo Legion 5-15ACH6H
Lenovo Legion 5-15ITH6
Lenovo Legion 5-15ITH6H
Lenovo Legion 5-17ACH6
Lenovo Legion 5-17ACH6H
Lenovo Legion 5-17ITH6
Lenovo Legion 5-17ITH6H
Lenovo Legion 7-16ACHg6
Lenovo Legion 7-16ITHg6
Lenovo Legion Y540-15IRH
Lenovo Legion Y540-15IRH-PG0
Lenovo Legion Y540-17IRH
Lenovo Legion Y540-17IRH-PG0
Lenovo Legion Y545
Lenovo Legion Y545-PG0
Lenovo Legion Y7000-2019
Lenovo Legion Y7000-2019-PG0
ideapad S145-14API
ideapad S145-14AST
ideapad S145-14IGM
ideapad S145-14IIL
ideapad S145-15API
ideapad S145-15AST
ideapad S145-15IGM
ideapad S145-15IIL
ideapad S540-13API
Lenovo V14 G2-ALC
Lenovo V14-ADA
Lenovo V14-ARE
Lenovo V14-IGL
Lenovo V14-IIL
V140-15IWL
Lenovo V15 G2-ALC
Lenovo V15-ADA
Lenovo V15-IGL
Lenovo V15-IIL
Lenovo V17-IIL
Lenovo V340-17IWL
Yoga Slim 7 Pro-14ACH5 D
Yoga Slim 7 Pro-14ACH5 OD
ideapad 3-14IGL05
ideapad 3-14IIL05
ideapad 3-15IIL05
ideapad 5-15ARE05
ideapad Creator 5-15IMH05
ideapad Gaming 3-15ARH05
ideapad Gaming 3-15IMH05
IdeaPad 3 15ADA05
IdeaPad 3-14ADA05
IdeaPad 3-14ADA6
IdeaPad 3-14ALC6
IdeaPad 3-14ARE05
IdeaPad 3-15ADA6
IdeaPad 3-15ALC6
IdeaPad 3-15ARE05
IdeaPad 3-15IGL05
IdeaPad 3-17ADA05
IdeaPad 3-17ADA6
IdeaPad 3-17ALC6
IdeaPad 3-17ARE05
IdeaPad 3-17IIL05
ideapad L3-15ITL6
ideapad L340-15IRH Gaming
ideapad L340-15IWL
ideapad L340-15IWL Touch
ideapad L340-17IRH Gaming
ideapad L340-17IWL
Lenovo Legion 5 Pro-16ACH6
Lenovo Legion 5 Pro-16ACH6H
Lenovo Legion 5 Pro-16ITH6
Lenovo Legion 5 Pro-16ITH6H
Lenovo Legion 5-15ACH6
Lenovo Legion 5-15ACH6A
Lenovo Legion 5-15ACH6H
Lenovo Legion 5-15ITH6
Lenovo Legion 5-15ITH6H
Lenovo Legion 5-17ACH6
Lenovo Legion 5-17ACH6H
Lenovo Legion 5-17ITH6
Lenovo Legion 5-17ITH6H
Lenovo Legion 7-16ACHg6
Lenovo Legion 7-16ITHg6
Lenovo Legion Y540-15IRH
Lenovo Legion Y540-15IRH-PG0
Lenovo Legion Y540-17IRH
Lenovo Legion Y540-17IRH-PG0
Lenovo Legion Y545
Lenovo Legion Y545-PG0
Lenovo Legion Y7000-2019
Lenovo Legion Y7000-2019-PG0
ideapad S145-14API
ideapad S145-14AST
ideapad S145-14IGM
ideapad S145-14IIL
ideapad S145-15API
ideapad S145-15AST
ideapad S145-15IGM
ideapad S145-15IIL
ideapad S540-13API
Lenovo V14 G2-ALC
Lenovo V14-ADA
Lenovo V14-ARE
Lenovo V14-IGL
Lenovo V14-IIL
V140-15IWL
Lenovo V15 G2-ALC
Lenovo V15-ADA
Lenovo V15-IGL
Lenovo V15-IIL
Lenovo V17-IIL
Lenovo V340-17IWL
Yoga Slim 7 Pro-14ACH5 D
Yoga Slim 7 Pro-14ACH5 OD
ideapad 3-14IGL05
ideapad 3-14IIL05
ideapad 3-15IIL05
ideapad 5-15ARE05
ideapad Creator 5-15IMH05
ideapad Gaming 3-15ARH05
ideapad Gaming 3-15IMH05
Software vendor:
Lenovo
Lenovo
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an error in driver used during older manufacturing processes and was mistakenly included in the BIOS image. A local privileged user can modify firmware protection region by changing an NVRAM variable and bypass implemented security restrictions.
Remediation
Install updates from vendor's website.