Vulnerability Name:

CVE-2022-1107 (CCN-224229)

Assigned:2022-04-12
Published:2022-04-12
Updated:2022-05-12
Summary:During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler was discovered in some ThinkPad models could be exploited by an attacker with elevated privileges that could allow for execution of code.
CVSS v3 Severity:6.7 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
CWE-269
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2022-1107

Source: XF
Type: UNKNOWN
lenovo-cve20221107-priv-esc(224229)

Source: CCN
Type: Lenovo Security Advisory: LEN-84943
ThinkPad BIOS Vulnerabilities

Source: MISC
Type: Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-84943

Vulnerable Configuration:Configuration 1:
  • cpe:/o:lenovo:thinkpad_11e_firmware:*:*:*:*:*:*:*:* (Version < n15et78w)
  • AND
  • cpe:/h:lenovo:thinkpad_11e:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:lenovo:thinkpad_helix_firmware:*:*:*:*:*:*:*:* (Version < n17eta8w)
  • AND
  • cpe:/h:lenovo:thinkpad_helix:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:lenovo:thinkpad_l560_firmware:*:*:*:*:*:*:*:* (Version < n1het85w)
  • AND
  • cpe:/h:lenovo:thinkpad_l560:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:lenovo:thinkpad_l570_firmware:*:*:*:*:*:*:*:* (Version < n1xet65w)
  • AND
  • cpe:/h:lenovo:thinkpad_l570:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:lenovo:thinkpad_p50s_firmware:*:*:*:*:*:*:*:* (Version < n1ket46w)
  • AND
  • cpe:/h:lenovo:thinkpad_p50s:-:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:lenovo:thinkpad_p51s_firmware:*:*:*:*:*:*:*:* (Version < n1vet50w)
  • AND
  • cpe:/h:lenovo:thinkpad_p51s:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:lenovo:thinkpad_p52s_firmware:*:*:*:*:*:*:*:* (Version < n27et36w)
  • AND
  • cpe:/h:lenovo:thinkpad_p52s:-:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:lenovo:thinkpad_s540_firmware:*:*:*:*:*:*:*:* (Version < gpet80ww)
  • AND
  • cpe:/h:lenovo:thinkpad_s540:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:lenovo:thinkpad_t550_firmware:*:*:*:*:*:*:*:* (Version < n11et50w)
  • AND
  • cpe:/h:lenovo:thinkpad_t550:-:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:lenovo:thinkpad_t560_firmware:*:*:*:*:*:*:*:* (Version < n1ket46w)
  • AND
  • cpe:/h:lenovo:thinkpad_t560:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:lenovo:thinkpad_t570_firmware:*:*:*:*:*:*:*:* (Version < n1vet50w)
  • AND
  • cpe:/h:lenovo:thinkpad_t570:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:lenovo:thinkpad_t580_firmware:*:*:*:*:*:*:*:* (Version < n27et36w)
  • AND
  • cpe:/h:lenovo:thinkpad_t580:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/o:lenovo:thinkpad_x1_tablet_gen_1_firmware:*:*:*:*:*:*:*:* (Version < n1let86w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_tablet_gen_1:-:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:lenovo:thinkpad_x1_tablet_gen_2_firmware:*:*:*:*:*:*:*:* (Version < n1oet50w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_tablet_gen_2:-:*:*:*:*:*:*:*

    • Configuration 15:
  • cpe:/o:lenovo:thinkpad_w540_firmware:*:*:*:*:*:*:*:* (Version < gnet92ww)
  • AND
  • cpe:/h:lenovo:thinkpad_w540:-:*:*:*:*:*:*:*

    • Configuration 16:
  • cpe:/o:lenovo:thinkpad_w541_firmware:*:*:*:*:*:*:*:* (Version < gnet92ww)
  • AND
  • cpe:/h:lenovo:thinkpad_w541:-:*:*:*:*:*:*:*

    • Configuration 17:
  • cpe:/o:lenovo:thinkpad_w550s_firmware:*:*:*:*:*:*:*:* (Version < n11et50w)
  • AND
  • cpe:/h:lenovo:thinkpad_w550s:-:*:*:*:*:*:*:*

    • Configuration 18:
  • cpe:/o:lenovo:thinkpad_x1_carbon_3rd_gen_firmware:*:*:*:*:*:*:*:* (Version < n14et52w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_carbon_3rd_gen:-:*:*:*:*:*:*:*

    • Configuration 19:
  • cpe:/o:lenovo:thinkpad_x1_carbon_4th_gen_firmware:*:*:*:*:*:*:*:* (Version < n1fet70w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_carbon_4th_gen:-:*:*:*:*:*:*:*

    • Configuration 20:
  • cpe:/o:lenovo:thinkpad_x1_carbon_5th_gen_kabylake_firmware:*:*:*:*:*:*:*:* (Version < n1met55w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_carbon_5th_gen_kabylake:-:*:*:*:*:*:*:*

    • Configuration 21:
  • cpe:/o:lenovo:thinkpad_x1_carbon_5th_gen_skylake_firmware:*:*:*:*:*:*:*:* (Version < n1met55w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_carbon_5th_gen_skylake:-:*:*:*:*:*:*:*

    • Configuration 22:
  • cpe:/o:lenovo:thinkpad_x1_yoga_firmware:*:*:*:*:*:*:*:* (Version < n1fet70w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_yoga:-:*:*:*:*:*:*:*

    • Configuration 23:
  • cpe:/o:lenovo:thinkpad_x1_yoga_gen_2_firmware:*:*:*:*:*:*:*:* (Version < n1net47w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_yoga_gen_2:-:*:*:*:*:*:*:*

    • Configuration 24:
  • cpe:/o:lenovo:thinkpad_x1_yoga_gen_3_firmware:*:*:*:*:*:*:*:* (Version < n25et50w)
  • AND
  • cpe:/h:lenovo:thinkpad_x1_yoga_gen_3:-:*:*:*:*:*:*:*

    • Configuration 25:
  • cpe:/o:lenovo:thinkpad_x250_firmware:*:*:*:*:*:*:*:* (Version < n10et58w)
  • AND
  • cpe:/h:lenovo:thinkpad_x250:-:*:*:*:*:*:*:*

    • Configuration 26:
  • cpe:/o:lenovo:thinkpad_x280_firmware:*:*:*:*:*:*:*:* (Version < n20et44w)
  • AND
  • cpe:/h:lenovo:thinkpad_x280:-:*:*:*:*:*:*:*

    • Configuration 27:
  • cpe:/o:lenovo:thinkpad_x390_firmware:*:*:*:*:*:*:*:* (Version < n2let60w)
  • AND
  • cpe:/h:lenovo:thinkpad_x390:-:*:*:*:*:*:*:*

    • Configuration 28:
  • cpe:/o:lenovo:thinkpad_11e_yoga_firmware:*:*:*:*:*:*:*:* (Version < n15et78w)
  • AND
  • cpe:/h:lenovo:thinkpad_11e_yoga:-:*:*:*:*:*:*:*

    • Configuration 29:
  • cpe:/o:lenovo:thinkpad_yoga_15_firmware:*:*:*:*:*:*:*:* (Version < n19et61w)
  • AND
  • cpe:/h:lenovo:thinkpad_yoga_15:-:*:*:*:*:*:*:*

    • Configuration 30:
  • cpe:/o:lenovo:thinkpad_yoga_260_firmware:*:*:*:*:*:*:*:* (Version < n1get98w)
  • AND
  • cpe:/h:lenovo:thinkpad_yoga_260:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/h:lenovo:thinkpad_l560:-:*:*:*:*:*:*:*
  • OR cpe:/h:lenovo:thinkpad_p50s:-:*:*:*:*:*:*:*
  • OR cpe:/h:lenovo:thinkpad_s540:-:*:*:*:*:*:*:*
  • OR cpe:/h:lenovo:thinkpad_t550:-:*:*:*:*:*:*:*
  • OR cpe:/h:lenovo:thinkpad_t560:-:*:*:*:*:*:*:*
  • OR cpe:/h:lenovo:thinkpad_w550s:-:*:*:*:*:*:*:*
  • OR cpe:/h:lenovo:thinkpad_x1_tablet:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    lenovo thinkpad 11e firmware *
    lenovo thinkpad 11e -
    lenovo thinkpad helix firmware *
    lenovo thinkpad helix -
    lenovo thinkpad l560 firmware *
    lenovo thinkpad l560 -
    lenovo thinkpad l570 firmware *
    lenovo thinkpad l570 -
    lenovo thinkpad p50s firmware *
    lenovo thinkpad p50s -
    lenovo thinkpad p51s firmware *
    lenovo thinkpad p51s -
    lenovo thinkpad p52s firmware *
    lenovo thinkpad p52s -
    lenovo thinkpad s540 firmware *
    lenovo thinkpad s540 -
    lenovo thinkpad t550 firmware *
    lenovo thinkpad t550 -
    lenovo thinkpad t560 firmware *
    lenovo thinkpad t560 -
    lenovo thinkpad t570 firmware *
    lenovo thinkpad t570 -
    lenovo thinkpad t580 firmware *
    lenovo thinkpad t580 -
    lenovo thinkpad x1 tablet gen 1 firmware *
    lenovo thinkpad x1 tablet gen 1 -
    lenovo thinkpad x1 tablet gen 2 firmware *
    lenovo thinkpad x1 tablet gen 2 -
    lenovo thinkpad w540 firmware *
    lenovo thinkpad w540 -
    lenovo thinkpad w541 firmware *
    lenovo thinkpad w541 -
    lenovo thinkpad w550s firmware *
    lenovo thinkpad w550s -
    lenovo thinkpad x1 carbon 3rd gen firmware *
    lenovo thinkpad x1 carbon 3rd gen -
    lenovo thinkpad x1 carbon 4th gen firmware *
    lenovo thinkpad x1 carbon 4th gen -
    lenovo thinkpad x1 carbon 5th gen kabylake firmware *
    lenovo thinkpad x1 carbon 5th gen kabylake -
    lenovo thinkpad x1 carbon 5th gen skylake firmware *
    lenovo thinkpad x1 carbon 5th gen skylake -
    lenovo thinkpad x1 yoga firmware *
    lenovo thinkpad x1 yoga -
    lenovo thinkpad x1 yoga gen 2 firmware *
    lenovo thinkpad x1 yoga gen 2 -
    lenovo thinkpad x1 yoga gen 3 firmware *
    lenovo thinkpad x1 yoga gen 3 -
    lenovo thinkpad x250 firmware *
    lenovo thinkpad x250 -
    lenovo thinkpad x280 firmware *
    lenovo thinkpad x280 -
    lenovo thinkpad x390 firmware *
    lenovo thinkpad x390 -
    lenovo thinkpad 11e yoga firmware *
    lenovo thinkpad 11e yoga -
    lenovo thinkpad yoga 15 firmware *
    lenovo thinkpad yoga 15 -
    lenovo thinkpad yoga 260 firmware *
    lenovo thinkpad yoga 260 -
    lenovo thinkpad l560 -
    lenovo thinkpad p50s -
    lenovo thinkpad s540 -
    lenovo thinkpad t550 -
    lenovo thinkpad t560 -
    lenovo thinkpad w550s -
    lenovo thinkpad x1 tablet -