LenovoLENOVO:PS500368-MULTI-VENDOR-BIOS-SECURITY-VULNERABILITIES-NOVEMBER-2020-NOSIDMulti-vendor BIOS Security Vulnerabilities (November 2020) - Lenovo Support NL
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
**Lenovo Security Advisory:**LEN-49266
**Potential Impact:**Information disclosure, privilege escalation, denial of service
**Severity:**High
**Scope of Impact:**Industry-wide
**CVE Identifier:**CVE-2020-0587, CVE-2020-0588, CVE-2020-0590, CVE-2020-0591, CVE-2020-0592, CVE-2020-0593, CVE-2020-1025, CVE-2020-1289, CVE-2020-1292, CVE-2020-2963, CVE-2020-8694, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698, CVE-2020-8352, CVE-2020-8354
Summary Description:
When possible, Lenovo consolidates multiple BIOS security fixes and enhancements into as few updates as possible. The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. Not all products listed in the Product Impact section of this advisory were affected by every CVE summarized here.
AMD reported a potential vulnerability that may impact AMD’s TPM implementation of non-orderly shutdown-failedTries with the USE_DA_USED build flag. CVE-2020-12926 (AMD), CVE-2020-29633 (TCG)
AMD reported a potential vulnerability in some AMD notebook or embedded processors that may allow privilege escalation. CVE-2020-12890
AMI has released AMI Aptio V BIOS security enhancements. No CVEs available
Intel reported potential security vulnerabilities in the BIOS firmware for some Intel® Processors that may allow escalation of privilege or denial of service. INTEL-SA-00358: CVE-2020-0587, CVE-2020-0588, CVE-2020-0590, CVE-2020-0591, CVE-2020-0592, CVE-2020-0593
Intel reported potential security vulnerabilities in some Intel® Processors that may allow information disclosure. INTEL-SA-00381: CVE-2020-8696, CVE-2020-8698
Intel reported potential security vulnerabilities in the Intel® Running Average Power Limit (RAPL) Interface that may allow information disclosure. INTEL-SA-00389: CVE-2020-8694, CVE-2020-8695
A potential vulnerability in the SMI callback function used in the VariableServiceSmm driver in some Lenovo Notebook models may allow arbitrary code execution. CVE-2020-8354
In some Lenovo Desktop models, the Configuration Change Detection BIOS setting failed to detect SATA configuration changes. CVE-2020-8352
Phoenix has released security enhancements for Phoenix BIOS. No CVEs available
Mitigation Strategy for Customers (what you should do to protect yourself):
Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P