CVE-2015-5684

high-risk
Published 2020-03-27

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A buffer overflow vulnerability was reported, (fixed and publicly disclosed in 2015) in the Lenovo Service Engine (LSE), affecting various versions of BIOS for Lenovo Notebooks, that could allow a remote user to execute arbitrary code on the system.

Do I need to act?

~
4.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

B50-10 Firmware
Flex 2 Pro-15 Firmware
Edge 15 Firmware
Flex 3-1470 Firmware
Flex 3-1570 Firmware
Flex 3-1120 Firmware
G40-80 Firmware
G50-80 Firmware
G50-80 Touch Firmware
G50-80 Touch V3000 Firmware
G40-80M Firmware
G50-80M Firmware
Ideapad 100-14Iby Firmware
Ideapad 100-15Iby Firmware
S21E Firmware
S41-70 Firmware
U41-70 Firmware
S435 Firmware
M40-35 Firmware
U31-70 Firmware

Affected Vendors

Lenovo

References (2)

Vendor Advisory https://support.lenovo.com/us/en/product_security/lse_bios_notebook
Vendor Advisory https://support.lenovo.com/us/en/product_security/lse_bios_notebook
61
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 22/34 · High