ThinkPad BIOS Vulnerabilities
ThinkPad BIOS Vulnerabilities
ThinkPad BIOS Vulnerabilities
Lenovo Security Advisory: LEN-72619
Potential Impact: Privilege escalation, denial of service
Severity: Medium
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2021-3718, CVE-2021-3843
Summary Description:
The following vulnerabilities were reported in Lenovo ThinkPad BIOS.
CVE-2021-3718: A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS.
CVE-2021-3843: A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Click below links to view affected products:
Acknowledgement:
CVE-2021-3718: Lenovo thanks Zoltan Harmarth for reporting this issue
CVE-2021-3843: Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas.
Revision History:
Revision | Date | Description |
---|---|---|
3 | 2023-08-08 | Identified end of life products |
2 | 2021-12-03 | Updated ThinkPad |
1 | 2021-10-12 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Product | Component | CVE-2021-3718 | CVE-2021-3843 |
E490 (Type 20N8, 20N9) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) - ThinkPad E490, E490s, E590 | End of life | Not Affected |
E490s (Type 20NG) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) - ThinkPad E490, E490s, E590 | End of life | Not Affected |
E590 (Type 20NB, 20NC) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) - ThinkPad E490, E490s, E590 | End of life | Not Affected |
L490 (type 20Q5, 20Q6) Laptops (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) - ThinkPad L490, L590 | End of life | Not Affected |
L590 (type 20Q7, 20Q8) Laptops (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) - ThinkPad L490, L590 | End of life | Not Affected |
P43s (Type 20RH, 20RJ) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) and Linux - ThinkPad T490, T590, P53s, P43s | N2IET96W | Not Affected |
P52 (Type 20M9, 20MA) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) & Linux - ThinkPad P52, P72 | N2CET60W | Not Affected |
P53s (Type 20N6, 20N7) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) and Linux - ThinkPad T490, T590, P53s, P43s | N2IET96W | Not Affected |
P72 (type 20MB, 20MC) Laptop (Thinkpad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) & Linux - ThinkPad P52, P72 | N2CET60W | Not Affected |
T490 (Type 20N2, 20N3) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) and Linux - ThinkPad T490, T590, P53s, P43s | N2IET96W | Not Affected |
T490 (Type 20RY, 20RX) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) and Linux - ThinkPad T490, T590, P53s, P43s | N2IET96W | Not Affected |
T490 Type 20Q9, 20QH Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) and Linux - ThinkPad T490, T590, P53s, P43s | N2IET96W | Not Affected |
T590 (Type 20N4, 20N5) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) and Linux - ThinkPad T490, T590, P53s, P43s | N2IET96W | Not Affected |
X1 Fold Gen 1 (type 20RK, 20RL) Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) - ThinkPad X1 Fold Gen 1 (Types: 20RK, 20LK) | Not Affected | N2PET50W |
X390 Yoga Laptop (ThinkPad) | BIOS Update (Utility & Bootable CD) for Windows 10 (64-bit) & Linux - ThinkPad X390 Yoga | N2LET87W | Not Affected |
Your feedback helps to improve the overall experience