CVE-2020-8341
low-risk
Published 2020-09-01
In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. While this provides sufficient protection, an additional layer of protection is provided by SPI Protected Range Registers (PRx). After resuming from S3 sleep mode in various versions of BIOS for some Lenovo ThinkPad systems, the PRx is not set. This does not impact the SMM BIOS Write Protection, which keeps systems protected.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.4/10
Low
PHYSICAL
/ LOW complexity
Affected Products (10)
Thinkpad T490 \(20Nx\) Firmware
Thinkpad T490 \(20Qx\) Firmware
Thinkpad T490 \(20Rx\) Firmware
Thinkpad T490S \(20Nx\) Firmware
Thinkpad T495 Drift Firmware
Thinkpad T590 \(20Nx\) Firmware
Thinkpad X1 Carbon \(20Qx\) Firmware
Thinkpad X1 Yoga \(20Qx\) Firmware
Thinkpad X390 \(20Qx\) Firmware
Thinkpad X390 \(20Sx\) Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-30042
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-30042
26
/ 100
low-risk
Severity
10/34 · Low
Exploitability
0/34 · Minimal
Exposure
16/34 · Moderate