Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-9084

In System Management Module (SMM) versions prior to 1.06, if an attacker manages to log in to the device OS, the validation of software updates can be circumvented.

Published

2018-11-27T14:29:00.713

Last Modified

2024-11-21T04:14:56.683

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	lenovo	system_management_module_firmware	< 1.06	Yes
Hardware	lenovo	thinkagile_hx_enclosure_7x81	-	No
Hardware	lenovo	thinkagile_hx_enclosure_7y87	-	No
Hardware	lenovo	thinkagile_hx_enclosure_7z02	-	No
Hardware	lenovo	thinkagile_vx_enclosure_7y11	-	No
Hardware	lenovo	thinkagile_vx_enclosure_7y91	-	No
Hardware	lenovo	thinksystem_d2_enclosure_7x20	-	No
Hardware	lenovo	thinksystem_modular_enclosure_7x22	-	No

References

https://support.lenovo.com/us/en/solutions/LEN-24374 Vendor Advisory ([email protected])
https://support.lenovo.com/us/en/solutions/LEN-24374 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)