5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
69.0%
Lenovo Security Advisory: LEN-15552
Potential Impact: RSA keys generated by the Infineon TPM using certain firmware levels are insecure
Severity: Varies; None to High
**Scope of Impact:**Industry-Wide
CVE Identifier: CVE-2017-15361
Summary Description:
A vulnerability was identified in the RSA key generation method used by Trusted Platform Modules (TPMs) manufactured by Infineon and contained in some Lenovo products. RSA public keys generated by the Infineon TPM for use by certain software programs should be considered insecure. No TPMs from other manufacturers are affected.
Only software that uses RSA keys generated by the TPM is affected by this vulnerability. No Lenovo-developed software uses the TPM for this purpose. Please see the Infineon advisory located here for more details.
The Trusted Platform Module (TPM) is a microcontroller on the system board used to securely store artifacts used to authenticate the platform, such as passwords, certificates or encryption keys, or measurements to ensure your system is trustworthy.
Mitigation Strategy for Customers (what you should do to protect yourself):
The sequence of steps required to mitigate this issue depends on the application and/or operating of your system. Follow the mitigation instructions provided by your software supplier to avoid data loss when mitigating this issue:
Product Impact:
Lenovo is urgently working on qualifying and applying the fixes provided by Infineon on supported systems. Please continue to refer to this advisory to identify fixes as they are posted for your systems.
Product Impact:
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
69.0%