#VU62282 Security restrictions bypass in Lenovo products - CVE-2022-1107

Cybersecurity Help s.r.o.

Published: 2022-04-13

Vulnerability identifier: #VU62282

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-1107

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
ThinkPad 11e 20D9
Hardware solutions / Firmware
ThinkPad 11e 20DA
Hardware solutions / Firmware
ThinkPad Helix 20CG
Hardware solutions / Firmware
ThinkPad Helix 20CH
Hardware solutions / Firmware
ThinkPad L560
Hardware solutions / Firmware
ThinkPad L570 20J8
Hardware solutions / Firmware
ThinkPad L570 20J9
Hardware solutions / Firmware
ThinkPad L570 20JQ
Hardware solutions / Firmware
ThinkPad L570 20JR
Hardware solutions / Firmware
ThinkPad P50s
Hardware solutions / Firmware
ThinkPad P51s 20HB
Hardware solutions / Firmware
ThinkPad P51s 20HC
Hardware solutions / Firmware
ThinkPad P51s 20JY
Hardware solutions / Firmware
ThinkPad P51s 20K0
Hardware solutions / Firmware
ThinkPad P52s 20LB
Hardware solutions / Firmware
ThinkPad P52s 20LC
Hardware solutions / Firmware
ThinkPad S540
Hardware solutions / Firmware
ThinkPad T550
Hardware solutions / Firmware
ThinkPad T560
Hardware solutions / Firmware
ThinkPad T570 20H9
Hardware solutions / Firmware
ThinkPad T570 20HA
Hardware solutions / Firmware
ThinkPad T570 20JW
Hardware solutions / Firmware
ThinkPad T570 20JX
Hardware solutions / Firmware
ThinkPad T580 20L9
Hardware solutions / Firmware
ThinkPad T580 20LA
Hardware solutions / Firmware
ThinkPad X1 Tablet 1st Gen 20GG
Hardware solutions / Firmware
ThinkPad X1 Tablet 1st Gen 20GH
Hardware solutions / Firmware
ThinkPad X1 Tablet 2nd Gen 20JB
Hardware solutions / Firmware
ThinkPad X1 Tablet 2nd Gen 20JC
Hardware solutions / Firmware
ThinkPad W540
Hardware solutions / Firmware
ThinkPad W541
Hardware solutions / Firmware
ThinkPad W550s
Hardware solutions / Firmware
ThinkPad X1 Carbon 3rd Gen 20BS
Hardware solutions / Firmware
ThinkPad X1 Carbon 3rd Gen 20BT
Hardware solutions / Firmware
ThinkPad X1 Carbon 4th Gen 20FB
Hardware solutions / Firmware
ThinkPad X1 Carbon 4th Gen 20FC
Hardware solutions / Firmware
ThinkPad X1 Carbon 5th Gen - Kabylake 20HR
Hardware solutions / Firmware
ThinkPad X1 Carbon 5th Gen - Kabylake 20HQ
Hardware solutions / Firmware
ThinkPad X1 Carbon 5th Gen - Skylake 20K4
Hardware solutions / Firmware
ThinkPad X1 Carbon 5th Gen - Skylake 20K3
Hardware solutions / Firmware
ThinkPad X1 Yoga 1st Gen 20FQ
Hardware solutions / Firmware
ThinkPad X1 Yoga 1st Gen 20FR
Hardware solutions / Firmware
ThinkPad X1 Yoga 2nd Gen 20JD
Hardware solutions / Firmware
ThinkPad X1 Yoga 2nd Gen 20JE
Hardware solutions / Firmware
ThinkPad X1 Yoga 2nd Gen 20JF
Hardware solutions / Firmware
ThinkPad X1 Yoga 2nd Gen 20JG
Hardware solutions / Firmware
ThinkPad X1 Yoga 3rd Gen 20LD
Hardware solutions / Firmware
ThinkPad X1 Yoga 3rd Gen 20LE
Hardware solutions / Firmware
ThinkPad X1 Yoga 3rd Gen 20LF
Hardware solutions / Firmware
ThinkPad X1 Yoga 3rd Gen 20LG
Hardware solutions / Firmware
ThinkPad X250
Hardware solutions / Firmware
ThinkPad X280 20KF
Hardware solutions / Firmware
ThinkPad X280 20KE
Hardware solutions / Firmware
ThinkPad X390 Yoga
Hardware solutions / Firmware
ThinkPad Yoga 11e 20D9
Hardware solutions / Firmware
ThinkPad Yoga 11e 20DA
Hardware solutions / Firmware
ThinkPad Yoga 15
Hardware solutions / Firmware
ThinkPad Yoga 260
Hardware solutions / Firmware

Vendor: Lenovo

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of Boot Services in the SmmOEMInt15 SMI handler. A local user can bypass implemented security restrictions and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ThinkPad 11e 20D9: before N15ET78W

ThinkPad 11e 20DA: before N15ET78W

ThinkPad Helix 20CG: before N17ETA8W

ThinkPad Helix 20CH: before N17ETA8W

ThinkPad L560: before N1HET85W

ThinkPad L570 20J8: before N1XET65W

ThinkPad L570 20J9: before N1XET65W

ThinkPad L570 20JQ: before N1XET65W

ThinkPad L570 20JR: before N1XET65W

ThinkPad P50s: before N1KET46W

ThinkPad P51s 20HB: before N1VET50W

ThinkPad P51s 20HC: before N1VET50W

ThinkPad P51s 20JY: before N1VET50W

ThinkPad P51s 20K0: before N1VET50W

ThinkPad P52s 20LB: before N27ET36W

ThinkPad P52s 20LC: before N27ET36W

ThinkPad S540: before GPET80WW

ThinkPad T550: before N11ET50W

ThinkPad T560: before N1KET46W

ThinkPad T570 20H9: before N1VET50W

ThinkPad T570 20HA: before N1VET50W

ThinkPad T570 20JW: before N1VET50W

ThinkPad T570 20JX: before N1VET50W

ThinkPad T580 20L9: before N27ET36W

ThinkPad T580 20LA: before N27ET36W

ThinkPad X1 Tablet 1st Gen 20GG: before N1LE T86W

ThinkPad X1 Tablet 1st Gen 20GH: before N1LET86W

ThinkPad X1 Tablet 2nd Gen 20JB: before N1OET50W

ThinkPad X1 Tablet 2nd Gen 20JC: before N1OET50W

ThinkPad W540: before GNET92WW

ThinkPad W541: before GNET92WW

ThinkPad W550s: before N11ET50W

ThinkPad X1 Carbon 3rd Gen 20BS: before N14ET52 W

ThinkPad X1 Carbon 3rd Gen 20BT: before N14ET52W

ThinkPad X1 Carbon 4th Gen 20FB: before N1FET70W

ThinkPad X1 Carbon 4th Gen 20FC: before N1FET70W

ThinkPad X1 Carbon 5th Gen - Kabylake 20HR: before N1MET55W

ThinkPad X1 Carbon 5th Gen - Kabylake 20HQ: before N1MET55W

ThinkPad X1 Carbon 5th Gen - Skylake 20K4: before N1MET55W

ThinkPad X1 Carbon 5th Gen - Skylake 20K3: before N1MET55W

ThinkPad X1 Yoga 1st Gen 20FQ: before N1FET70W

ThinkPad X1 Yoga 1st Gen 20FR: before N1FET70W

ThinkPad X1 Yoga 2nd Gen 20JD: before N1NET47W

ThinkPad X1 Yoga 2nd Gen 20JE: before N1NET47W

ThinkPad X1 Yoga 2nd Gen 20JF: before N1NET47W

ThinkPad X1 Yoga 2nd Gen 20JG: before N1NET47W

ThinkPad X1 Yoga 3rd Gen 20LD: before N25ET50W

ThinkPad X1 Yoga 3rd Gen 20LE: before N25ET50W

ThinkPad X1 Yoga 3rd Gen 20LF: before N25ET50W

ThinkPad X1 Yoga 3rd Gen 20LG: before N25ET50W

ThinkPad X250: before N10ET58W

ThinkPad X280 20KF: before N20ET44W

ThinkPad X280 20KE: before N20ET44W

ThinkPad X390 Yoga: before N2LET60W

ThinkPad Yoga 11e 20D9: before N15ET78W

ThinkPad Yoga 11e 20DA: before N15ET78W

ThinkPad Yoga 15: before N19ET61W

ThinkPad Yoga 260: before N1GET98W

External links
https://support.lenovo.com/lu/uk/product_security/LEN-84943

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Lenovo ThinkPad BIOS