CVE-2021-3972 — Active Debug Code in Lenovo Ideapad 3-14ada05 Firmware

CWE-489 — Active Debug Code3 documents3 sources

Severity

6.7MEDIUMNVD

EPSS

3.2%

top 12.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Ideapad 3-14ada05 Firmware Lenovo Ideapad 3-14ada6 Firmware Lenovo Ideapad 3-14alc6 Firmware +95 more

Timeline

PublishedApr 22

Latest updateApr 23

Description

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages98 packages

▶CVEListV5lenovo/notebook_biosvarious

▶NVDlenovo/v14-ada_firmware< e8cn33ww

▶NVDlenovo/v14-are_firmware< dzcn42ww

▶NVDlenovo/v14-igl_firmware< dvcn23ww

▶NVDlenovo/v14-iil_firmware< dkcn54ww

🔴Vulnerability Details

GHSA

GHSA-h8xq-rx7h-94j2: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactiv↗2022-04-23

▶

CVEList

CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactiv↗2022-04-22

▶