7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
0.0004 Low
EPSS
Percentile
5.8%
Lenovo Security Advisory: LEN-20494
**Potential Impact:**Local security-bypass
Severity: Medium
Scope of Impact: Industry-wide
CVE Identifier: CVE-2018-6622
Summary Description:
Lenovo was notified of a potential security bypass vulnerability in BIOS firmware for managing the TPM 2.0 device. If an attacker gains Windows administrator rights and then modifies the Windows kernel so it does not properly prepare the TPM for entering sleep (S3), the TPM may later wake in an error state with cleared PCRs. The BIOS does not detect and resolve this TPM error state, potentially allowing a local attacker to bypass security measures.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo recommends customers update their BIOS to at least the minimum version indicated for their model in the Product Impact section of this advisory.
Product Impact:
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:P/A:P
0.0004 Low
EPSS
Percentile
5.8%