Vulnerability identifier: #VU81984

Vulnerability risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5078

CWE-ID: CWE-254

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
ThinkPad S2 Yoga Gen 8 Types 21FU China Only
Hardware solutions / Firmware
ThinkPad L13 Gen 2 21AB s
Hardware solutions / Firmware
ThinkPad L13 Gen 2 21AC s
Hardware solutions / Firmware
ThinkPad L13 Gen 4 21FN
Hardware solutions / Firmware
ThinkPad L13 Gen 4 21FQ
Hardware solutions / Firmware
ThinkPad L13 Yoga Gen 2 21AD s
Hardware solutions / Firmware
ThinkPad L13 Yoga Gen 2 21AE s
Hardware solutions / Firmware
ThinkPad L13 Yoga Gen 4 21FR
Hardware solutions / Firmware
ThinkPad L13 Yoga Gen 4 21FS
Hardware solutions / Firmware
ThinkPad P14s Gen 3 21J5
Hardware solutions / Firmware
ThinkPad P14s Gen 3 21J6
Hardware solutions / Firmware
ThinkPad P16s Gen 1 21CK
Hardware solutions / Firmware
ThinkPad P16s Gen 1 21CL
Hardware solutions / Firmware
ThinkPad T14 Gen 3 21CF
Hardware solutions / Firmware
ThinkPad T14 Gen 3 21CG
Hardware solutions / Firmware
ThinkPad T14s Gen 3 21CQ 21CR
Hardware solutions / Firmware
ThinkPad T16 Gen 1 21CH
Hardware solutions / Firmware
ThinkPad T16 Gen 1 21CJ
Hardware solutions / Firmware
ThinkPad S2 Gen 6 Type 21AF China Only
Hardware solutions / Firmware
ThinkPad S2 Gen 8 Types 21FT Chine Only
Hardware solutions / Firmware
ThinkPad S2 Yoga Gen 6 Type 21AG China Only
Hardware solutions / Firmware
ThinkPad X13 Gen 3 21CM 21CN
Hardware solutions / Firmware
ThinkPad L13 Gen 3 21B9 21BA
Hardware solutions / Firmware
ThinkPad L13 Yoga Gen 3 21BB
Hardware solutions / Firmware
ThinkPad L13 Yoga Gen 3 21BC
Hardware solutions / Firmware
ThinkPad L14 Gen 3 21C5 s
Hardware solutions / Firmware
ThinkPad L14 Gen 3 21C6 s
Hardware solutions / Firmware
ThinkPad L14 Gen 4 21H5 s
Hardware solutions / Firmware
ThinkPad L14 Gen 4 21H6 s
Hardware solutions / Firmware
ThinkPad L15 Gen 3 21C7 s
Hardware solutions / Firmware
ThinkPad L15 Gen 3 21C8 s
Hardware solutions / Firmware
ThinkPad L15 Gen 4 21H7 s
Hardware solutions / Firmware
ThinkPad L15 Gen 4 21H8 s
Hardware solutions / Firmware
ThinkPad S2 Gen 7 Type 21BD
Hardware solutions / Firmware
ThinkPad S2 Yoga Gen 7 Type 21BE
Hardware solutions / Firmware

Vendor: Lenovo

Description

The vulnerability allows an attacker to compromise the affected system.

The vulnerability exists due to unspecified error in the BIOS of some Lenovo ThinkPad products. An attacker with physical access to device can tamper with BIOS firmware.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ThinkPad S2 Yoga Gen 8 Types 21FU China Only: All versions

ThinkPad L13 Gen 2 21AB s: All versions

ThinkPad L13 Gen 2 21AC s: All versions

ThinkPad L13 Gen 4 21FN: All versions

ThinkPad L13 Gen 4 21FQ: All versions

ThinkPad L13 Yoga Gen 2 21AD s: All versions

ThinkPad L13 Yoga Gen 2 21AE s: All versions

ThinkPad L13 Yoga Gen 4 21FR: All versions

ThinkPad L13 Yoga Gen 4 21FS: All versions

ThinkPad P14s Gen 3 21J5: All versions

ThinkPad P14s Gen 3 21J6: All versions

ThinkPad P16s Gen 1 21CK: All versions

ThinkPad P16s Gen 1 21CL: All versions

ThinkPad T14 Gen 3 21CF: All versions

ThinkPad T14 Gen 3 21CG: All versions

ThinkPad T14s Gen 3 21CQ 21CR: All versions

ThinkPad T16 Gen 1 21CH: All versions

ThinkPad T16 Gen 1 21CJ: All versions

ThinkPad S2 Gen 6 Type 21AF China Only: All versions

ThinkPad S2 Gen 8 Types 21FT Chine Only: All versions

ThinkPad S2 Yoga Gen 6 Type 21AG China Only: All versions

ThinkPad X13 Gen 3 21CM 21CN: All versions

---

External links
http://support.lenovo.com/us/en/product_security/LEN-141775

---

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.