Lenovo: Security Vulnerabilities
Improper access controls on several Android components in the Lenovo Service Framework application can be exploited to enable remote code execution.
CVSS Score
9.8
EPSS Score
0.024
Published
2017-10-17
The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVSS Score
8.1
EPSS Score
0.014
Published
2017-10-17
The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
CVSS Score
8.1
EPSS Score
0.008
Published
2017-10-17
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.045
Published
2017-10-17
The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.
CVSS Score
5.9
EPSS Score
0.738
Published
2017-10-16
Services and files in Lenovo Fingerprint Manager before 8.01.42 have incorrect ACLs, which allows local users to invalidate local checks and gain privileges via standard filesystem operations.
CVSS Score
6.7
EPSS Score
0.0
Published
2017-10-03
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed Lenovo executables.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-10-03
An attacker who obtains access to the location where the LXCA file system is stored may be able to access credentials of local LXCA accounts in LXCA versions earlier than 1.3.2.
CVSS Score
6.7
EPSS Score
0.001
Published
2017-09-22
Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-09-22
ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, various versions, was found to contain a privilege escalation vulnerability that could allow a local user to execute arbitrary code with administrative or system level privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-08-29