Lenovo: Security Vulnerabilities
An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered the Windows OS credentials provided by the LXCA user to perform driver updates of managed systems may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated while managed endpoints are updating. The service log is only generated when requested by a privileged LXCA user and it is only accessible to the privileged LXCA user that requested the file and is then deleted.
CVSS Score
4.9
EPSS Score
0.001
Published
2021-02-10
A privilege escalation vulnerability was reported in Lenovo PCManager prior to version 3.0.50.9162 that could allow an authenticated user to execute code with elevated privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-11-30
In some Lenovo Desktop models, the Configuration Change Detection BIOS setting failed to detect SATA configuration changes.
CVSS Score
2.4
EPSS Score
0.001
Published
2020-11-11
Prior to August 10, 2020, some Lenovo Desktop and Workstation systems were shipped with the Embedded Host Based Configuration (EHBC) feature of Intel AMT enabled. This could allow an administrative user with local access to configure Intel AMT.
CVSS Score
6.7
EPSS Score
0.0
Published
2020-11-11
A potential vulnerability in the SMI callback function used in the VariableServiceSmm driver in some Lenovo Notebook models may allow arbitrary code execution.
CVSS Score
6.4
EPSS Score
0.0
Published
2020-11-11
A potential vulnerability in the SMI callback function used in the legacy BIOS mode USB drivers in some legacy Lenovo and IBM System x servers may allow arbitrary code execution. Servers operating in UEFI mode are not affected.
CVSS Score
6.4
EPSS Score
0.0
Published
2020-10-14
A DLL search path vulnerability was reported in Lenovo Diagnostics prior to version 4.35.4 that could allow a user with local access to execute code on the system.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-10-14
A DLL search path vulnerability was reported in the Lenovo HardwareScan Plugin for the Lenovo Vantage hardware scan feature prior to version 1.0.46.11 that could allow escalation of privilege.
CVSS Score
7.3
EPSS Score
0.001
Published
2020-10-14
An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.
CVSS Score
9.8
EPSS Score
0.026
Published
2020-10-14
An authentication bypass vulnerability was reported in Lenovo ThinkPad Stack Wireless Router firmware version 1.1.3.4 that could allow escalation of privilege.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-10-14