Security restrictions bypass in Hardware solutions

#VU62366 Security restrictions bypass in Hardware solutions

Published: 2022-04-18

Vulnerability identifier: #VU62366

Vulnerability risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3972

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
IdeaPad 3 15ADA05
Hardware solutions / Firmware
IdeaPad 3-14ADA05
Hardware solutions / Firmware
IdeaPad 3-14ADA6
Hardware solutions / Firmware
IdeaPad 3-14ALC6
Hardware solutions / Firmware
IdeaPad 3-14ARE05
Hardware solutions / Firmware
IdeaPad 3-15ADA6
Hardware solutions / Firmware
IdeaPad 3-15ALC6
Hardware solutions / Firmware
IdeaPad 3-15ARE05
Hardware solutions / Firmware
IdeaPad 3-15IGL05
Hardware solutions / Firmware
IdeaPad 3-17ADA05
Hardware solutions / Firmware
IdeaPad 3-17ADA6
Hardware solutions / Firmware
IdeaPad 3-17ALC6
Hardware solutions / Firmware
IdeaPad 3-17ARE05
Hardware solutions / Firmware
IdeaPad 3-17IIL05
Hardware solutions / Firmware
ideapad L3-15ITL6
Hardware solutions / Firmware
ideapad L340-15IRH Gaming
Hardware solutions / Firmware
ideapad L340-15IWL
Hardware solutions / Firmware
ideapad L340-15IWL Touch
Hardware solutions / Firmware
ideapad L340-17IRH Gaming
Hardware solutions / Firmware
ideapad L340-17IWL
Hardware solutions / Firmware
Lenovo Legion 5 Pro-16ACH6
Hardware solutions / Firmware
Lenovo Legion 5 Pro-16ACH6H
Hardware solutions / Firmware
Lenovo Legion 5 Pro-16ITH6
Hardware solutions / Firmware
Lenovo Legion 5 Pro-16ITH6H
Hardware solutions / Firmware
Lenovo Legion 5-15ACH6
Hardware solutions / Firmware
Lenovo Legion 5-15ACH6A
Hardware solutions / Firmware
Lenovo Legion 5-15ACH6H
Hardware solutions / Firmware
Lenovo Legion 5-15ITH6
Hardware solutions / Firmware
Lenovo Legion 5-15ITH6H
Hardware solutions / Firmware
Lenovo Legion 5-17ACH6
Hardware solutions / Firmware
Lenovo Legion 5-17ACH6H
Hardware solutions / Firmware
Lenovo Legion 5-17ITH6
Hardware solutions / Firmware
Lenovo Legion 5-17ITH6H
Hardware solutions / Firmware
Lenovo Legion 7-16ACHg6
Hardware solutions / Firmware
Lenovo Legion 7-16ITHg6
Hardware solutions / Firmware
Lenovo Legion S7-15ACH6
Hardware solutions / Firmware
Lenovo Legion Y540-15IRH
Hardware solutions / Firmware
Lenovo Legion Y540-15IRH-PG0
Hardware solutions / Firmware
Lenovo Legion Y540-17IRH
Hardware solutions / Firmware
Lenovo Legion Y540-17IRH-PG0
Hardware solutions / Firmware
Lenovo Legion Y545
Hardware solutions / Firmware
Lenovo Legion Y545-PG0
Hardware solutions / Firmware
Lenovo Legion Y7000-2019
Hardware solutions / Firmware
Lenovo Legion Y7000-2019-PG0
Hardware solutions / Firmware
ideapad S145-14API
Hardware solutions / Firmware
ideapad S145-14AST
Hardware solutions / Firmware
ideapad S145-14IGM
Hardware solutions / Firmware
ideapad S145-14IIL
Hardware solutions / Firmware
ideapad S145-15API
Hardware solutions / Firmware
ideapad S145-15AST
Hardware solutions / Firmware
ideapad S145-15IGM
Hardware solutions / Firmware
ideapad S145-15IIL
Hardware solutions / Firmware
ideapad S540-13API
Hardware solutions / Firmware
Lenovo V14 G2-ALC
Hardware solutions / Firmware
Lenovo V14-ADA
Hardware solutions / Firmware
Lenovo V14-ARE
Hardware solutions / Firmware
Lenovo V14-IGL
Hardware solutions / Firmware
Lenovo V14-IIL
Hardware solutions / Firmware
V140-15IWL
Hardware solutions / Firmware
Lenovo V15 G2-ALC
Hardware solutions / Firmware
Lenovo V15-ADA
Hardware solutions / Firmware
Lenovo V15-IGL
Hardware solutions / Firmware
Lenovo V15-IIL
Hardware solutions / Firmware
Lenovo V17-IIL
Hardware solutions / Firmware
Lenovo V340-17IWL
Hardware solutions / Firmware
Yoga Slim 7 Pro-14ACH5 D
Hardware solutions / Firmware
Yoga Slim 7 Pro-14ACH5 OD
Hardware solutions / Firmware
ideapad Yoga Slim 7 Pro-14ARH5
Hardware solutions / Firmware
ideapad 3-14IGL05
Hardware solutions / Firmware
ideapad 3-14IIL05
Hardware solutions / Firmware
ideapad 3-15IIL05
Hardware solutions / Firmware
ideapad 5-15ARE05
Hardware solutions / Firmware
ideapad Creator 5-15IMH05
Hardware solutions / Firmware
ideapad Gaming 3-15ARH05
Hardware solutions / Firmware
ideapad Gaming 3-15IMH05
Hardware solutions / Firmware

Vendor:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an error in driver used during manufacturing process and was mistakenly not deactivated. A local privileged user can modify secure boot setting by modifying an NVRAM variable and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://support.lenovo.com/lu/uk/product_security/LEN-73440

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in multiple Lenovo products

Multiple vulnerabilities in Lenovo products