Description
Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://support.lenovo.com/us/en/solutions/LEN-20241
Scores
CVSS v3
6.4
EPSS
0.0004
EPSS Percentile
12.8%
Attack Vector
PHYSICAL
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (11)
lenovo/flex_system_x240_m5_bios
< 2.61
lenovo/flex_system_x280_x6_bios
< 4.21
lenovo/flex_system_x480_x6_bios
< 4.21
lenovo/flex_system_x880_bios
< 4.21
lenovo/nextscale_nx360_m5_bios
< 2.61
lenovo/system_x3250_m6_bios
< 2.23
lenovo/system_x3500_m5_bios
< 2.61
lenovo/system_x3550_m5_bios
< 2.61
lenovo/system_x3650_m5_bios
< 2.61
lenovo/system_x3850_x6_bios
< 4.3
... and 1 more
Published
May 04, 2018
Tracked Since
Feb 18, 2026