**Lenovo Security Advisory**: LEN-20494
**Potential Impact: **Local security-bypass
**Severity:** Medium
**Scope of Impact:** Industry-wide
**CVE Identifier:** CVE-2018-6622
**Summary Description:**
Lenovo was notified of a potential security bypass vulnerability in BIOS firmware for managing the TPM 2.0 device. If an attacker gains Windows administrator rights and then modifies the Windows kernel so it does not properly prepare the TPM for entering sleep (S3), the TPM may later wake in an error state with cleared PCRs. The BIOS does not detect and resolve this TPM error state, potentially allowing a local attacker to bypass security measures.
**Mitigation Strategy for Customers (what you should do to protect yourself):**
Lenovo recommends customers update their BIOS to at least the minimum version indicated for their model in the Product Impact section of this advisory.
**Product Impact:**
{"id": "LENOVO:PS500178-NOSID", "vendorId": null, "type": "lenovo", "bulletinFamily": "info", "title": "TPM 2.0 Sleep-Wake Error in BIOS Firmware - US", "description": "**Lenovo Security Advisory**: LEN-20494\n\n**Potential Impact: **Local security-bypass\n\n**Severity:** Medium\n\n**Scope of Impact:** Industry-wide\n\n**CVE Identifier:** CVE-2018-6622\n\n**Summary Description:**\n\nLenovo was notified of a potential security bypass vulnerability in BIOS firmware for managing the TPM 2.0 device. If an attacker gains Windows administrator rights and then modifies the Windows kernel so it does not properly prepare the TPM for entering sleep (S3), the TPM may later wake in an error state with cleared PCRs. The BIOS does not detect and resolve this TPM error state, potentially allowing a local attacker to bypass security measures. \n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nLenovo recommends customers update their BIOS to at least the minimum version indicated for their model in the Product Impact section of this advisory.\n\n**Product Impact:**\n", "published": "2018-09-13T19:29:00", "modified": "2018-09-13T19:30:46", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2}, "href": "http://support.lenovo.com/us/en/solutions/LEN-20494", "reporter": "Lenovo", "references": [], "cvelist": ["CVE-2018-6622"], "immutableFields": [], "lastseen": "2018-09-25T17:22:20", "viewCount": 528, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-6622"]}, {"type": "hp", "idList": ["HP:C06265284"]}, {"type": "lenovo", "idList": ["LENOVO:PS500178-TPM-20-SLEEP-WAKE-ERROR-IN-BIOS-FIRMWARE-NOSID"]}], "rev": 4}, "score": {"value": 3.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-6622"]}, {"type": "hp", "idList": ["HP:C06265284"]}, {"type": "lenovo", "idList": ["LENOVO:PS500178-TPM-20-SLEEP-WAKE-ERROR-IN-BIOS-FIRMWARE-NOSID"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-6622", "epss": "0.000420000", "percentile": "0.056350000", "modified": "2023-03-14"}], "vulnersScore": 3.2}, "_state": {"dependencies": 1645574734, "score": 1683995128, "epss": 1678865228}, "_internal": {"score_hash": "8f69a7f32fbc6f48e3248be270f0fb5b"}}
{"lenovo": [{"lastseen": "2021-08-11T16:37:25", "description": "**Lenovo Security Advisory**: LEN-20494\n\n**Potential Impact: **Local security-bypass\n\n**Severity:** Medium\n\n**Scope of Impact:** Industry-wide\n\n**CVE Identifier:** CVE-2018-6622\n\n**Summary Description:**\n\nLenovo was notified of a potential security bypass vulnerability in BIOS firmware for managing the TPM 2.0 device. If an attacker gains Windows administrator rights and then modifies the Windows kernel so it does not properly prepare the TPM for entering sleep (S3), the TPM may later wake in an error state with cleared PCRs. The BIOS does not detect and resolve this TPM error state, potentially allowing a local attacker to bypass security measures.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nLenovo recommends customers update their BIOS to at least the minimum version indicated for their model in the Product Impact section of this advisory.\n\n**Product Impact:**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.1, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-07-26T16:56:00", "type": "lenovo", "title": "TPM 2.0 Sleep-Wake Error in BIOS Firmware - Lenovo Support NL", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6622"], "modified": "2020-03-13T20:24:14", "id": "LENOVO:PS500178-TPM-20-SLEEP-WAKE-ERROR-IN-BIOS-FIRMWARE-NOSID", "href": "https://support.lenovo.com/nl/nl/product_security/ps500178-tpm-20-sleep-wake-error-in-bios-firmware", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-07T15:06:47", "description": "An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.1, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-17T18:29:00", "type": "cve", "title": "CVE-2018-6622", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6622"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:trustedcomputinggroup:trusted_platform_module:2.0"], "id": "CVE-2018-6622", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6622", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:trustedcomputinggroup:trusted_platform_module:2.0:*:*:*:*:*:*:*"]}], "hp": [{"lastseen": "2022-03-23T06:30:01", "description": "## Potential Security Impact\nInformation Disclosure, Denial of Service, Escalation of Privilege \n\n**Source**: HP, HP Product Security Response Team (PSRT) \n\n**Reported by**: Seunghun Han, National Security Research Institute \n\n## VULNERABILITY SUMMARY\nPotential security vulnerabilities have been identified with the Trusted Platform Module (TPM) that allow an unauthorized third party to modify the TPM configuration following an S3 Resume, allowing unauthorized access to the system and its data.\n\n## RESOLUTION\nHP has identified the affected platforms and target dates for Softpaqs. See the affected platforms listed below. \n\n> note:\n> \n> This bulletin will be updated. Check back frequently for updates. HP recommends keeping your system up to date with the latest firmware and software.\n\n**Pending**: Softpaq is in progress. \n\n**Under investigation**: System under investigation for impact, or Softpaq under investigation for feasibility/availability. \n\n**Not available**: Softpaq not available due to technical or logistical constraints. \n", "cvss3": {}, "published": "2019-03-14T00:00:00", "type": "hp", "title": "HPSBHF03609 rev. 3 - TPM Platform Configuration Vulnerability After S3 Resume", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-16837", "CVE-2018-6622"], "modified": "2019-09-23T00:00:00", "id": "HP:C06265284", "href": "https://support.hp.com/us-en/document/c06265284", "cvss": {"score": "7.8", "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/"}}]}
TPM 2.0 Sleep-Wake Error in BIOS Firmware - US
