Lenovo has patched several several high-severity vulnerabilities tied to Intel flaws that could enable escalation of privilege, information disclosure, or even denial of service.
Overall the device maker patched flaws tied to 16 high-severity CVEs on Thursday. Those include five related to Intel firmware vulnerabilities, as well as 11 flaws stemming from vulnerabilities in Intel Converged Security and Management Engine (CSME), Intel Server Platform Services, Intel Trusted Execution Engine and Intel Active Management Technology.
The patches come two days after Intel released its own security update, Tuesday, warning of 19 vulnerabilities across its popular graphics drivers for Windows 10, as well as a larger set of fixes across other Intel products, including its Matrix Storage Manager, Active Management Technology and Accelerated Storage Manager.
The CVEs tied to Intel firmware (CVE-2018-12201, CVE-2018-12202, CVE-2018-12203, CVE-2018-12204, CVE-2018-12205) impact Lenovo Desktops, IdeaPads, Storage, ThinkPad, ThinkServer, ThinkStations and ThinkSystems.
The worst of these are privilege escalation vulnerabilities in certain Intel Platform Sample/ Silicon Reference firmware which are in Lenovo products.
That includes CVE-2018-12204 (with a CVSS score of 7.5) which could “allow privileged user to potentially execute arbitrary code via local access,” and CVE-2018-12205(with a CVSS score of 7.6) which could “allow unauthenticated user to potentially execute arbitrary code via physical access.”
“Intel recommends upgrading to the firmware version (or newer) indicated for your model,” according to Lenovo’s advisory. A full list of the updated firmware versions for various Lenovo products can be found on its website.
The other 11 high-severity flaws ( CVE-2018-12188, CVE-2018-12189, CVE-2018-12190, CVE-2018-12191, CVE-2018-12192, CVE-2018-12199, CVE-2018-12198, CVE-2018-12200, CVE-2018-12187, CVE-2018-12196, CVE-2018-12185) exist across several Intel products within Lenovo devices.
Those Intel technologies are: Intel Converged Security and Management Engine (CSME), its autonomous subsystem that has been incorporated into its processor chipsets; Intel Server Platform Services; Intel Trusted Execution Engine, which assures that an authentic OS starts in a trusted environment; and Intel Active Management Technology which enables IT managers to discover, repair, and help protect networked computing assets.
“Multiple potential security vulnerabilities in Intel CSME, Server Platform Services, Trusted Execution Engine and Intel Active Management Technology may allow users to potentially escalate privileges, disclose information or cause a denial of service,” according to an Intel advisory. “Intel is releasing Intel CSME, Server Platform Services, Trusted Execution Engine and Intel Active Management Technology updates to mitigate these potential vulnerabilities.”
Impacted are Lenovo Desktops, IdeaPads, ThinkPads, ThinkServers, ThinkStations and ThinkSystems.
The worst of these, CVE-2018-12190, is in Intel CSME and has a CVSS score of 8.2. The flaw stems from insufficient input validation in CSME and “may allow privileged user to potentially execute arbitrary code via local access” according to Intel.
Another high-severity flaw (CVE-2018-12187) in Intel Active Management Technology may allow an unauthenticated user to potentially cause a denial of service via network access; while a serious vulnerability (CVE-2018-12200) in Intel Capability Licensing Service may allow an unprivileged user to potentially escalate privileges via local access.
“Intel recommends upgrading to the Intel CSME, Server Platform Services, Trusted Execution Engine, and Intel Active Management Technology version (or newer) indicated for your model in the Product Impact section,” according to Lenovo’s advisory.
Beyond Intel’s technology in its products, Lenovo also patched a medium-severity vulnerability (CVE-2019-6149) that stemmed from an unquoted search path vulnerability in Dynamic Power Reduction Utility, software aimed to reduce the maximum Output Power Transmitted on 2G/3G/4G Lenovo devices.
The flaw “could allow a malicious user with local access to execute code with administrative privileges,” according to Lenovo.
Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.