5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.7%
Lenovo Security Advisory: LEN-4603
Potential Impact: An attacker with man-in-the-middle capabilities could decrypt encrypted traffic or impersonate a legitimate client or server
**Severity:**Medium
Scope of Impact: Industry-Wide
Summary Description:
A flaw was found in the way the TLS 1.2 protocol could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. An attacker with man-in-the-middle capabilities who is able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
This vulnerability has been given the name “Security Losses from Obsolete and Truncated Transcript Hashes” or “SLOTH”.
We continue to monitor for practical collision attacks against SHA1 and will issue updated guidance and fixes should they appear.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update to the most recent software available for your affected product by using the links below.
Product Impact:
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.7%