Lenovo Security Advisory: LEN-27714
**Potential Impact:**Escalation of Privilege, Denial of Service, Information Disclosure
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2019-0117, CVE-2019-0123, CVE-2019-0124, CVE-2019-0151, CVE-2019-0152, CVE-2019-0154, CVE-2019-0184, CVE-2019-0185, CVE-2019-6170, CVE-2019-6172, CVE-2019-6174, CVE-2019-6188, CVE-2019-11135, CVE-2019-11136, CVE-2019-11137, CVE-2019-11139, CVE-2019-18279
Summary Description:
When possible, Lenovo consolidates multiple BIOS security fixes and enhancements into as few updates as possible. The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. Not all products listed in the Product Impact section of this advisory were affected by every CVE summarized here.
AMI has released AMI Aptio V BIOS security enhancements. No CVEs available.
Intel reported a potential security vulnerability in access control of protected memory for Intel SGX processors with Intel Processor Graphics may allow for information disclosure. INTEL-SA-00219: CVE-2019-0117
Intel reported potential security vulnerabilities in 6th Generation Intel Core™ Processors and greater may allow information disclosure. INTEL-SA-00220: CVE-2018-0123, CVE-2019-0124
Intel reported potential security vulnerabilities in Intel Core Processors and Intel Xeon Processors may allow escalation of privilege, denial of service, or information disclosure. INTEL-SA-00240: CVE-2019-0151, CVE-2019-0152
Intel reported a potential security vulnerability in Intel Processor Graphics may allow denial of service. (INTEL-SA-00242 & INTEL-SA-260: CVE-2019-0154)
Intel reported a potential security vulnerability in Intel Trusted Execution Technology with Intel Processor Graphics may allow for information disclosure. INTEL-SA-00164: CVE-2019-0184
Intel reported a potential security vulnerability in Intel System Management Mode with Intel Processor Graphics may allow for information disclosure. INTEL-SA-00254: CVE-2019-0185
Intel reported a TSX Asynchronous Abort (TAA) condition on some Intel microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. INTEL-SA-00270: CVE-2019-11135
Intel reported a potential security vulnerabilities in Intel firmware may allow escalation of privilege, denial of service, information disclosure. INTEL-SA-00280: CVE-2019-11136, CVE-2019-11137
Intel reported a potential security vulnerability in some Intel Xeon Scalable Processors CPUs may allow denial of service. INTEL-SA-00271: CVE-2019-11139
The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p/T470p which may allow for unauthorized access. CVE-2019-6188
A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in runtime phase in some Lenovo ThinkPad models may allow arbitrary code execution. CVE-2019-6170
A potential vulnerability in the SMI callback function used in Legacy USB driver using passed parameter without sufficient checking in some Lenovo ThinkPad models may allow arbitrary code execution. CVE-2019-6172
Phoenix has released Window’s driver security enhancements for the Phoenix BIOS Update Utility. CVE-2019-18279
Mitigation Strategy for Customers (what you should do to protect yourself):
Update system firmware to the version (or newer) indicated for your model in the Product Impact section below.
Product Impact: