Multiple vulnerabilities in Lenovo ThinkPad BIOS
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-1108 CVE-2022-1107 |
| CWE-ID | CWE-119 CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
ThinkPad X1 Fold Gen 1 20RK Hardware solutions / Firmware ThinkPad X1 Fold Gen 1 20RL Hardware solutions / Firmware ThinkPad 11e 20D9 Hardware solutions / Firmware ThinkPad 11e 20DA Hardware solutions / Firmware ThinkPad Helix 20CG Hardware solutions / Firmware ThinkPad Helix 20CH Hardware solutions / Firmware ThinkPad L560 Hardware solutions / Firmware ThinkPad L570 20J8 Hardware solutions / Firmware ThinkPad L570 20J9 Hardware solutions / Firmware ThinkPad L570 20JQ Hardware solutions / Firmware ThinkPad L570 20JR Hardware solutions / Firmware ThinkPad P50s Hardware solutions / Firmware ThinkPad P51s 20HB Hardware solutions / Firmware ThinkPad P51s 20HC Hardware solutions / Firmware ThinkPad P51s 20JY Hardware solutions / Firmware ThinkPad P51s 20K0 Hardware solutions / Firmware ThinkPad P52s 20LB Hardware solutions / Firmware ThinkPad P52s 20LC Hardware solutions / Firmware ThinkPad S540 Hardware solutions / Firmware ThinkPad T550 Hardware solutions / Firmware ThinkPad T560 Hardware solutions / Firmware ThinkPad T570 20H9 Hardware solutions / Firmware ThinkPad T570 20HA Hardware solutions / Firmware ThinkPad T570 20JW Hardware solutions / Firmware ThinkPad T570 20JX Hardware solutions / Firmware ThinkPad T580 20L9 Hardware solutions / Firmware ThinkPad T580 20LA Hardware solutions / Firmware ThinkPad X1 Tablet 1st Gen 20GG Hardware solutions / Firmware ThinkPad X1 Tablet 1st Gen 20GH Hardware solutions / Firmware ThinkPad X1 Tablet 2nd Gen 20JB Hardware solutions / Firmware ThinkPad X1 Tablet 2nd Gen 20JC Hardware solutions / Firmware ThinkPad W540 Hardware solutions / Firmware ThinkPad W541 Hardware solutions / Firmware ThinkPad W550s Hardware solutions / Firmware ThinkPad X1 Carbon 3rd Gen 20BS Hardware solutions / Firmware ThinkPad X1 Carbon 3rd Gen 20BT Hardware solutions / Firmware ThinkPad X1 Carbon 4th Gen 20FB Hardware solutions / Firmware ThinkPad X1 Carbon 4th Gen 20FC Hardware solutions / Firmware ThinkPad X1 Carbon 5th Gen - Kabylake 20HR Hardware solutions / Firmware ThinkPad X1 Carbon 5th Gen - Kabylake 20HQ Hardware solutions / Firmware ThinkPad X1 Carbon 5th Gen - Skylake 20K4 Hardware solutions / Firmware ThinkPad X1 Carbon 5th Gen - Skylake 20K3 Hardware solutions / Firmware ThinkPad X1 Yoga 1st Gen 20FQ Hardware solutions / Firmware ThinkPad X1 Yoga 1st Gen 20FR Hardware solutions / Firmware ThinkPad X1 Yoga 2nd Gen 20JD Hardware solutions / Firmware ThinkPad X1 Yoga 2nd Gen 20JE Hardware solutions / Firmware ThinkPad X1 Yoga 2nd Gen 20JF Hardware solutions / Firmware ThinkPad X1 Yoga 2nd Gen 20JG Hardware solutions / Firmware ThinkPad X1 Yoga 3rd Gen 20LD Hardware solutions / Firmware ThinkPad X1 Yoga 3rd Gen 20LE Hardware solutions / Firmware ThinkPad X1 Yoga 3rd Gen 20LF Hardware solutions / Firmware ThinkPad X1 Yoga 3rd Gen 20LG Hardware solutions / Firmware ThinkPad X250 Hardware solutions / Firmware ThinkPad X280 20KF Hardware solutions / Firmware ThinkPad X280 20KE Hardware solutions / Firmware ThinkPad X390 Yoga Hardware solutions / Firmware ThinkPad Yoga 11e 20D9 Hardware solutions / Firmware ThinkPad Yoga 11e 20DA Hardware solutions / Firmware ThinkPad Yoga 15 Hardware solutions / Firmware ThinkPad Yoga 260 Hardware solutions / Firmware |
| Vendor | Lenovo |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU62281
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-1108
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in LenovoFlashDeviceInterface within the SMI handler. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsThinkPad X1 Fold Gen 1 20RK: before N2PET50W
ThinkPad X1 Fold Gen 1 20RL: before N2PET50W
CPE2.3- cpe:2.3:h:lenovo:thinkpad_x1_fold_gen_1_20rk:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_fold_gen_1_20rl:*:*:*:*:*:*:*:*
https://support.lenovo.com/lu/uk/product_security/LEN-84943
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU62282
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-1107
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of Boot Services in the SmmOEMInt15 SMI handler. A local user can bypass implemented security restrictions and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsThinkPad 11e 20D9: before N15ET78W
ThinkPad 11e 20DA: before N15ET78W
ThinkPad Helix 20CG: before N17ETA8W
ThinkPad Helix 20CH: before N17ETA8W
ThinkPad L560: before N1HET85W
ThinkPad L570 20J8: before N1XET65W
ThinkPad L570 20J9: before N1XET65W
ThinkPad L570 20JQ: before N1XET65W
ThinkPad L570 20JR: before N1XET65W
ThinkPad P50s: before N1KET46W
ThinkPad P51s 20HB: before N1VET50W
ThinkPad P51s 20HC: before N1VET50W
ThinkPad P51s 20JY: before N1VET50W
ThinkPad P51s 20K0: before N1VET50W
ThinkPad P52s 20LB: before N27ET36W
ThinkPad P52s 20LC: before N27ET36W
ThinkPad S540: before GPET80WW
ThinkPad T550: before N11ET50W
ThinkPad T560: before N1KET46W
ThinkPad T570 20H9: before N1VET50W
ThinkPad T570 20HA: before N1VET50W
ThinkPad T570 20JW: before N1VET50W
ThinkPad T570 20JX: before N1VET50W
ThinkPad T580 20L9: before N27ET36W
ThinkPad T580 20LA: before N27ET36W
ThinkPad X1 Tablet 1st Gen 20GG: before N1LE T86W
ThinkPad X1 Tablet 1st Gen 20GH: before N1LET86W
ThinkPad X1 Tablet 2nd Gen 20JB: before N1OET50W
ThinkPad X1 Tablet 2nd Gen 20JC: before N1OET50W
ThinkPad W540: before GNET92WW
ThinkPad W541: before GNET92WW
ThinkPad W550s: before N11ET50W
ThinkPad X1 Carbon 3rd Gen 20BS: before N14ET52 W
ThinkPad X1 Carbon 3rd Gen 20BT: before N14ET52W
ThinkPad X1 Carbon 4th Gen 20FB: before N1FET70W
ThinkPad X1 Carbon 4th Gen 20FC: before N1FET70W
ThinkPad X1 Carbon 5th Gen - Kabylake 20HR: before N1MET55W
ThinkPad X1 Carbon 5th Gen - Kabylake 20HQ: before N1MET55W
ThinkPad X1 Carbon 5th Gen - Skylake 20K4: before N1MET55W
ThinkPad X1 Carbon 5th Gen - Skylake 20K3: before N1MET55W
ThinkPad X1 Yoga 1st Gen 20FQ: before N1FET70W
ThinkPad X1 Yoga 1st Gen 20FR: before N1FET70W
ThinkPad X1 Yoga 2nd Gen 20JD: before N1NET47W
ThinkPad X1 Yoga 2nd Gen 20JE: before N1NET47W
ThinkPad X1 Yoga 2nd Gen 20JF: before N1NET47W
ThinkPad X1 Yoga 2nd Gen 20JG: before N1NET47W
ThinkPad X1 Yoga 3rd Gen 20LD: before N25ET50W
ThinkPad X1 Yoga 3rd Gen 20LE: before N25ET50W
ThinkPad X1 Yoga 3rd Gen 20LF: before N25ET50W
ThinkPad X1 Yoga 3rd Gen 20LG: before N25ET50W
ThinkPad X250: before N10ET58W
ThinkPad X280 20KF: before N20ET44W
ThinkPad X280 20KE: before N20ET44W
ThinkPad X390 Yoga: before N2LET60W
ThinkPad Yoga 11e 20D9: before N15ET78W
ThinkPad Yoga 11e 20DA: before N15ET78W
ThinkPad Yoga 15: before N19ET61W
ThinkPad Yoga 260: before N1GET98W
CPE2.3- cpe:2.3:h:lenovo:thinkpad_11e_20d9:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_11e_20da:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_helix_20cg:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_helix_20ch:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_l560:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_l570_20j8:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_l570_20j9:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_l570_20jq:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_l570_20jr:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p50s:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p51s_20hb:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p51s_20hc:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p51s_20jy:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p51s_20k0:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p52s_20lb:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_p52s_20lc:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_s540:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t550:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t560:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t570_20h9:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t570_20ha:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t570_20jw:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t570_20jx:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t580_20l9:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_t580_20la:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_tablet_1st_gen_20gg:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_tablet_1st_gen_20gh:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_tablet_2nd_gen_20jb:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_tablet_2nd_gen_20jc:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_w540:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_w541:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_w550s:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_3rd_gen_20bs:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_3rd_gen_20bt:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_4th_gen_20fb:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_4th_gen_20fc:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_5th_gen_-_kabylake_20hr:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_5th_gen_-_kabylake_20hq:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_5th_gen_-_skylake_20k4:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_carbon_5th_gen_-_skylake_20k3:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_1st_gen_20fq:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_1st_gen_20fr:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_2nd_gen_20jd:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_2nd_gen_20je:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_2nd_gen_20jf:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_2nd_gen_20jg:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_3rd_gen_20ld:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_3rd_gen_20le:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_3rd_gen_20lf:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x1_yoga_3rd_gen_20lg:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x250:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x280_20kf:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x280_20ke:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_x390_yoga:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_yoga_11e_20d9:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_yoga_11e_20da:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_yoga_15:*:*:*:*:*:*:*:*
- cpe:2.3:h:lenovo:thinkpad_yoga_260:*:*:*:*:*:*:*:*
https://support.lenovo.com/lu/uk/product_security/LEN-84943
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
