CVE-2020-8332

Published: Oct 14, 2020Modified: Nov 21, 2024

6.4

Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.5 / Impact: 5.9

Source: NVD

Description

A potential vulnerability in the SMI callback function used in the legacy BIOS mode USB drivers in some legacy Lenovo and IBM System x servers may allow arbitrary code execution. Servers operating in UEFI mode are not affected.

Affected (19)

Lenovo

18 products

Bladecenter Hs23 Firmware

Bladecenter Hs23e Firmware

Compute Node X440 Firmware

Flex System X220 Firmware

Flex System X240 Firmware

Flex System X440 Firmware

Nextscale Nx360 M4 Firmware

System X3300 M4 Firmware

System X3500 M4 Firmware

System X3530 M4 Firmware

System X3550 M4 Firmware

System X3630 M4 Firmware

System X3650 M4 Firmware

System X3650 M4 Bd Firmware

System X3650 M4 Hd Firmware

System X3750 M4 Firmware

Idataplex Dx360 M4 Firmware

Idataplex Dx360 M4 Water Cooled Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Bladecenter Hs23 Firmware	Before tke170b

Running on/with	Platform Versions
Lenovo Bladecenter Hs23	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Bladecenter Hs23e Firmware	Before ahe172b

Running on/with	Platform Versions
Lenovo Bladecenter Hs23e	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Compute Node X440 Firmware	Before cge128a

Running on/with	Platform Versions
Lenovo Compute Node X440	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X220 Firmware	Before kse170b

Running on/with	Platform Versions
Lenovo Flex System X220	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X240 Firmware	Before b2e172b

Running on/with	Platform Versions
Lenovo Flex System X240	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Flex System X440 Firmware	Before cne172b

Running on/with	Platform Versions
Lenovo Flex System X440	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Nextscale Nx360 M4 Firmware	Before fhe132b

Running on/with	Platform Versions
Lenovo Nextscale Nx360 M4	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3300 M4 Firmware	Before yae166b

Running on/with	Platform Versions
Lenovo System X3300 M4	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3500 M4 Firmware	Before y5e170b

Running on/with	Platform Versions
Lenovo System X3500 M4	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3530 M4 Firmware	Before bee174b

Running on/with	Platform Versions
Lenovo System X3530 M4	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3550 M4 Firmware	Before d7e174b

Running on/with	Platform Versions
Lenovo System X3550 M4	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3630 M4 Firmware	Before bee174b

Running on/with	Platform Versions
Lenovo System X3630 M4	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3650 M4 Firmware	Before vve172b

Running on/with	Platform Versions
Lenovo System X3650 M4	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3650 M4 Bd Firmware	Before vve172b

Running on/with	Platform Versions
Lenovo System X3650 M4 Bd	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3650 M4 Hd Firmware	Before vve172b

Running on/with	Platform Versions
Lenovo System X3650 M4 Hd	All versions

Configuration P

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo System X3750 M4 Firmware	Before a5e130a

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo System X3750 M4 Firmware	Before koe170b

Running on/with	Platform Versions
Lenovo System X3750 M4	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Idataplex Dx360 M4 Firmware	Before tde168b

Running on/with	Platform Versions
Lenovo Idataplex Dx360 M4	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Idataplex Dx360 M4 Water Cooled Firmware	Before tde168b

Running on/with	Platform Versions
Lenovo Idataplex Dx360 M4 Water Cooled	All versions

Related CWEs

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

References (2)

https://support.lenovo.com/us/en/product_security/LEN-38625

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-38625

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.