Multi-vendor BIOS Security Vulnerabilities - Lenovo Support US

Lenovo Security Advisory: LEN-27714

**Potential Impact:**Escalation of Privilege, Denial of Service, Information Disclosure

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2019-0117, CVE-2019-0123, CVE-2019-0124, CVE-2019-0151, CVE-2019-0152, CVE-2019-0154, CVE-2019-0184, CVE-2019-0185, CVE-2019-6170, CVE-2019-6172, CVE-2019-6174, CVE-2019-6188, CVE-2019-11135, CVE-2019-11136, CVE-2019-11137, CVE-2019-11139, CVE-2019-18279

Summary Description:

When possible, Lenovo consolidates multiple BIOS security fixes and enhancements into as few updates as possible. The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. Not all products listed in the Product Impact section of this advisory were affected by every CVE summarized here.

AMI has released AMI Aptio V BIOS security enhancements. No CVEs available.

Intel reported a potential security vulnerability in access control of protected memory for Intel SGX processors with Intel Processor Graphics may allow for information disclosure. INTEL-SA-00219: CVE-2019-0117

Intel reported potential security vulnerabilities in 6th Generation Intel Core™ Processors and greater may allow information disclosure. INTEL-SA-00220: CVE-2018-0123, CVE-2019-0124

Intel reported potential security vulnerabilities in Intel Core Processors and Intel Xeon Processors may allow escalation of privilege, denial of service, or information disclosure. INTEL-SA-00240: CVE-2019-0151, CVE-2019-0152

Intel reported a potential security vulnerability in Intel Processor Graphics may allow denial of service. (INTEL-SA-00242 & INTEL-SA-260: CVE-2019-0154)

Intel reported a potential security vulnerability in Intel Trusted Execution Technology with Intel Processor Graphics may allow for information disclosure. INTEL-SA-00164: CVE-2019-0184

Intel reported a potential security vulnerability in Intel System Management Mode with Intel Processor Graphics may allow for information disclosure. INTEL-SA-00254: CVE-2019-0185

Intel reported a TSX Asynchronous Abort (TAA) condition on some Intel microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. INTEL-SA-00270: CVE-2019-11135

Intel reported a potential security vulnerabilities in Intel firmware may allow escalation of privilege, denial of service, information disclosure. INTEL-SA-00280: CVE-2019-11136, CVE-2019-11137

Intel reported a potential security vulnerability in some Intel Xeon Scalable Processors CPUs may allow denial of service. INTEL-SA-00271: CVE-2019-11139

The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p/T470p which may allow for unauthorized access. CVE-2019-6188

A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in runtime phase in some Lenovo ThinkPad models may allow arbitrary code execution. CVE-2019-6170

A potential vulnerability in the SMI callback function used in Legacy USB driver using passed parameter without sufficient checking in some Lenovo ThinkPad models may allow arbitrary code execution. CVE-2019-6172

Phoenix has released Window’s driver security enhancements for the Phoenix BIOS Update Utility. CVE-2019-18279

Mitigation Strategy for Customers (what you should do to protect yourself):

Update system firmware to the version (or newer) indicated for your model in the Product Impact section below.

Product Impact: