CVE-2017-3775

Published: May 4, 2018Modified: Nov 21, 2024

6.4

Vector

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.5 / Impact: 5.9

Source: NVD

Description

Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.

Affected (11)

Products: Lenovo: Flex System X240 M5 Bios, Flex System X280 X6 Bios, Flex System X480 X6 Bios, Flex System X880 Bios, Nextscale Nx360 M5 Bios, System X3250 M6 Bios, System X3500 M5 Bios, System X3550 M5 Bios, System X3650 M5 Bios, System X3850 X6 Bios, System X3950 X6 Bios

Lenovo

11 products

Flex System X240 M5 Bios

Flex System X280 X6 Bios

Flex System X480 X6 Bios

Flex System X880 Bios

Nextscale Nx360 M5 Bios

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X240 M5 Bios	Before 2.61

Running on/with	Platform Versions
Lenovo Flex System X240 M5	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X280 X6 Bios	Before 4.21

Running on/with	Platform Versions
Lenovo Flex System X280 X6	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X480 X6 Bios	Before 4.21

Running on/with	Platform Versions
Lenovo Flex System X480 X6	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X880 Bios	Before 4.21

Running on/with	Platform Versions
Lenovo Flex System X880	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Nextscale Nx360 M5 Bios	Before 2.61

Running on/with	Platform Versions
Lenovo Nextscale Nx360 M5	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3250 M6 Bios	Before 2.23

Running on/with	Platform Versions
Lenovo System X3250 M6	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3500 M5 Bios	Before 2.61

Running on/with	Platform Versions
Lenovo System X3500 M5	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3550 M5 Bios	Before 2.61

Running on/with	Platform Versions
Lenovo System X3550 M5	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3650 M5 Bios	Before 2.61

Running on/with	Platform Versions
Lenovo System X3650 M5	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3850 X6 Bios	Before 4.3

Running on/with	Platform Versions
Lenovo System X3850 X6	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3950 X6 Bios	Before 4.3

Running on/with	Platform Versions
Lenovo System X3950 X6	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://support.lenovo.com/us/en/solutions/LEN-20241

Source: psirt@lenovo.com

PatchVendor Advisory

https://support.lenovo.com/us/en/solutions/LEN-20241

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.