Lenovo Security Advisory: LEN-13640
Potential Impact: Denial of service or accessing of data on a system by an attacker with physical access
Scope of Impact: Industry-Wide
CVE Identifier: CVE-2017-5684
In 2015, starting with the Skylake processor family, Intel introduced a Direct Connect Interface (DCI) which provides access via USB 3.0 ports to a debugging interface used for system development. Concerns have been raised that this interface could allow someone with malicious intent and physical access to a system the ability to create a denial-of-service attack or access data on the system.
A vulnerability has been identified where an attacker with administrative access as well as physical access to a system’s USB port could enable DCI. Intel has released an update that disables this access and this fix has been incorporated in the latest version of Lenovo UEFI BIOS for affected systems.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update your system BIOS by following the readme file at the links below. Think and Lenovo brand notebooks and desktops may also automatically update BIOS with Lenovo System Update.