5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
0.976 High
EPSS
Percentile
100.0%
Lenovo Security Advisory: LEN-18282
**Potential Impact:**Malicious code running locally may be able to observe contents of privileged memory, circumventing expected privilege levels.
Severity: High
Scope of Impact: Industry-wide
CVE Identifier:
“Spectre” CVE-2017-5753, CVE-2017-5715
“Meltdown” CVE-2017-5754
Summary Description:
Lenovo is aware of vulnerabilities regarding certain processors nicknamed “Spectre” and “Meltdown” by their discoverers. Both are “side channel” exploits, meaning they do not access protected data directly, but rather induce the processor to operate in a specific way, and observe execution timing or other externally visible characteristics to infer the protected data.
We are working continuously with our processor, operating system, and component suppliers to incorporate fixes as we receive them. Lenovo will update this page frequently as fixes are released and new information emerges. Please check back often.
Mitigation Strategy for Customers (what you should do to protect yourself):
There are three related vulnerability variants. All require operating system updates to address. One requires processor microcode updates (see product impact section below).
Variant 1: Bounds check bypass (CVE-2017-5753)
Variant 2: Branch target injection (CVE-2017-5715)
Variant 3: Rogue data cache load (CVE-2017-5754)
We recommend updating OS and firmware as soon as updates are available. For PCs, go to <https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe> to get the latest OS patches.
Prior to patching and firmware update, you can limit your risk by following the usual security best practices to prevent an attacker from running code locally on your system. For example: Limit access to only known and trusted users; install only well-vetted, trusted applications; visit only reputable web sites with minimal obtrusive advertising and content pulled-in from other sources; and if feasible, turn off JavaScript in your browser.
Product Impact:
CPU Microcode Updates: Intel and AMD provide to Lenovo the CPU microcode updates required to address Variant 2, which Lenovo then incorporates into BIOS/UEFI firmware. We are building and testing BIOS/UEFI firmware packages as we receive new microcode from Intel and AMD. New firmware packages will be added to the product tables as they become ready.
Anti-Virus Blocking Microsoft Windows Updates: Microsoft has found some anti-virus products conflict with their OS patches (<https://support.microsoft.com/help/4072698>). Microsoft blocks installation of those patches until the anti-virus product has been updated or removed. Please see <https://support.microsoft.com/en-us/help/4072699> for information on how to unblock the installation.
NVIDIA GPU Device Drivers: Lenovo has become aware that NVIDIA GPU drivers and software (running on the host CPU, not the GPU) are vulnerable to CVE-2017-5753 and CVE-2017-5715 (Spectre). Please see Lenovo advisory LEN-16730 for more information and updates.
Web Browsers: Google, Microsoft, and Mozilla have reported it is possible to use aspects of these vulnerabilities within their web browser applications. Please see these references for more information and updates:
CLIENT SYSTEMS
The following guidance is specific to Lenovo Personal Computing (PCSD) offerings.
CPU Microcode Updates: Based on customer feedback, we are also integrating additional BIOS fixes such as Intel AMT MEBx bypass updates. All side channel related updates continue to be listed on this advisory.
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
0.976 High
EPSS
Percentile
100.0%