Intel Thunderbolt Vulnerabilities - Lenovo Support US

Lenovo Security Advisory: LEN-31390

Potential Impact: Information disclosure, privilege escalation

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2019-14630

Summary Description:

Intel reported potential security vulnerabilities, requiring physical access and dedicated equipment, in Intel Thunderbolt that could allow a malicious peripheral device to access secret data and change system behavior on systems with Thunderbolt interfaces.

Mitigation Strategy for Customers (what you should do to protect yourself):

Intel recommends the following guidelines for a robust DMA protection solution:

• Set BIOS Administrator/Supervisor Password to protect BIOS settings
• Enable Kernel DMA protections in BIOS and Operating System
  • Kernel DMA protections are available in Windows (Windows 10 1803 RS4 and later) and Linux (kernel 5.x and later) for systems with newer Intel processors (2019 or later).
• Enable Secure Boot in BIOS
• Enable drive encryption such as BitLocker

For all systems, Lenovo recommends customers follow best security practices as described by Intel, including the use of only trusted peripherals and preventing unauthorized physical access to computers.

To detect potential system tampering customers can enable Tamper Detection/Chassis Intrusion Detection in BIOS on supported systems and protect the setting with a BIOS Administrator/Supervisor Password.

To completely disable Thunderbolt, concerned customers can set the Thunderbolt BIOS setting to Disabled and protect the setting with a BIOS Administrator/Supervisor Password. NOTE: On some systems, this may also disable USB-C ports.