CVE-2019-6156
moderate-risk
Published 2019-04-10
In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. While this provides sufficient protection, an additional layer of protection is provided by SPI Protected Range Registers (PRx). Lenovo was notified that after resuming from S3 sleep mode in various versions of BIOS for Lenovo systems, the PRx is not set. This does not impact the SMM BIOS Write Protection, which keeps systems protected.
Do I need to act?
-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.3/10
Low
LOCAL
/ LOW complexity
Affected Products (20)
510-15Ikl Firmware
510S-08Ikl Firmware
Ideacentre 300-20Ish Firmware
Ideacentre 300S-11Ish Firmware
Ideacentre 510-15Icb Firmware
Ideacentre 510A-15Icb Firmware
Ideacentre 510S-08Ish Firmware
Ideacentre 620S-03Ikl Firmware
Ideacentre 700 Firmware
Ideacentre 720-18Icb Firmware
Legion C530-19Icb Firmware
Legion C730-19Ico Firmware
Legion T530-28Icb Firmware
Legion T730-28Ico Firmware
Legion Y520T Z370 Firmware
Legion Y720 Tower Firmware
Legion Y920 Tower Firmware
Lenovo 63 Firmware
H50-30G Desktop Firmware
M4500 Firmware
Affected Vendors
References (2)
46
/ 100
moderate-risk
Severity
13/34 · Low
Exploitability
0/34 · Minimal
Exposure
33/34 · Critical