ID
VAR-E-201606-0744
TITLE
Lenovo ThinkPad System Management Mode Local Privilege Escalation Vulnerability
Trust: 0.3
DESCRIPTION
Lenovo ThinkPad is prone to a local privilege escalation vulnerability.
A local attacker can leverage this issue to execute arbitrary code with administrative privileges in the context of the System Management Mode.
Trust: 0.3
AFFECTED PRODUCTS
| vendor: | lenovo | model: | thinkpad yoga 11e | scope: | eq | version: | 0 | Trust: 0.9 |
| vendor: | lenovo | model: | thinkpad carbon | scope: | eq | version: | x10 | Trust: 0.6 |
| vendor: | lenovo | model: | thinkpad tablet | scope: | eq | version: | 80 | Trust: 0.6 |
| vendor: | lenovo | model: | thinkpad tablet | scope: | eq | version: | 100 | Trust: 0.6 |
| vendor: | lenovo | model: | thinkstation d30 (type | scope: | eq | version: | 4353-4354)0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkstation d30 (type | scope: | eq | version: | 4223-4228-4229)0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkstation c30 (type | scope: | eq | version: | 1136-1137)0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkstation c30 (type | scope: | eq | version: | 1095-1096-1097)0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad yoga | scope: | eq | version: | 150 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | x2500 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad x240s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | x2400 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad x230s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad x230i tablet | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad x230i | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad tablet | scope: | eq | version: | x2300 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | x2300 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad x140e | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad x131e | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad w550s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad w541 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad w540 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad w530 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad ultrazoom | scope: | eq | version: | 1 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad ultranav wizard | scope: | eq | version: | 3 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad twist/edge s230 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t550 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t540p | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t530i | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t530 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t450s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t450 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t440s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t440p | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t440 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t431s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t430si | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t430s | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t430i | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t430 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t430 | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t420 | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t400 | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad s540 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad s531 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad s430 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad s3-s440 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad s3 yoga | scope: | eq | version: | 140 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad l540 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad l450 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad l440 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad l430 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad helix | scope: | eq | version: | (3xxx)0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad helix | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad edge s430 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad edge e555 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad edge e455 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad e565 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad e465 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad 11e | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | 100 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | x61 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | x220 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad | scope: | eq | version: | x201 | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t61 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t60 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t530 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t430 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t43 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | thinkpad t410 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | lenovo | model: | system m5 | scope: | eq | version: | x36500 | Trust: 0.3 |
| vendor: | lenovo | model: | system m5 | scope: | eq | version: | x35500 | Trust: 0.3 |
| vendor: | lenovo | model: | system m5 | scope: | eq | version: | x35000 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad z50-75 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad yoga | scope: | eq | version: | 3140 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad s41-75 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad s41-35 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad m41-70 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad k41-70 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad g70-35 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad g51-35 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad g50-70m | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad g41-35 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad g40-75m | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad flex | scope: | eq | version: | 3-15700 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad flex | scope: | eq | version: | 3-14700 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad flex 3-1435 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | ideapad 305-15ihw | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | lenovo | model: | flex system | scope: | eq | version: | x880x60 | Trust: 0.3 |
| vendor: | lenovo | model: | flex system | scope: | eq | version: | x8800 | Trust: 0.3 |
| vendor: | lenovo | model: | flex system | scope: | eq | version: | x480x60 | Trust: 0.3 |
| vendor: | lenovo | model: | flex system | scope: | eq | version: | x280x60 | Trust: 0.3 |
| vendor: | lenovo | model: | flex system m5 | scope: | eq | version: | x2400 | Trust: 0.3 |
EXPLOIT
The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Unknown
Trust: 0.3
CREDITS
Dmytro Oleksiuk
Trust: 0.3
EXTERNAL IDS
| db: | LENOVO | id: | LEN-8324 | Trust: 0.3 |
| db: | BID | id: | 91538 | Trust: 0.3 |
REFERENCES
| url: | http://www.lenovo.com/ca/en/ | Trust: 0.3 |
| url: | http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html | Trust: 0.3 |
| url: | https://github.com/cr4sh/thinkpwn | Trust: 0.3 |
| url: | https://support.lenovo.com/us/en/solutions/len-8324 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 91538 |
LAST UPDATE DATE
2022-07-27T09:51:49.012000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 91538 | date: | 2016-07-14T20:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 91538 | date: | 2016-06-30T00:00:00 |