CVE-2015-2890 — MEDIUM (6.0)

Q: How severe is CVE-2015-2890?

CVE-2015-2890 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-2890?

Check the references section above for vendor advisories and patch information. Affected products include: Dell Bios, Dell Latitude E6420 Atg, Dell Latitude E6420 Xfr, Dell Latitude E6220, Dell Latitude Xt3.

Vulnerability Description

The BIOS implementation on Dell Latitude, OptiPlex, Precision Mobile Workstation, and Precision Workstation Client Solutions (CS) devices with model-dependent firmware before A21 does not enforce a BIOS_CNTL locking protection mechanism upon being woken from sleep, which allows local users to conduct EFI flash attacks by leveraging console access, a similar issue to CVE-2015-3692.

CVSS Score

6.0

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Dell	Bios	<= a20
Dell	Latitude E6420 Atg	All versions
Dell	Latitude E6420 Xfr	All versions
Dell	Latitude E6220	All versions
Dell	Latitude Xt3	All versions
Dell	Latitude E4310	All versions
Dell	Latitude E5410	All versions
Dell	Latitude E5510	All versions
Dell	Latitude E6410 Atg	All versions
Dell	Latitude E6510	All versions
Dell	Precision Mobile M4600	All versions
Dell	Precision T1600	All versions
Dell	Latitude E6320	All versions
Dell	Latitude E6520	All versions
Dell	Precision Mobile M4500	All versions
Dell	Precision Mobile M6600	All versions
Dell	Latitude E5420	All versions
Dell	Latitude E5520	All versions
Dell	Precision T3600	All versions
Dell	Precision T5600	All versions

References

http://www.kb.cert.org/vuls/id/577140Third Party AdvisoryUS Government Resource
http://www.kb.cert.org/vuls/id/BLUU-9XXQ9LThird Party AdvisoryUS Government Resource
http://www.kb.cert.org/vuls/id/577140Third Party AdvisoryUS Government Resource
http://www.kb.cert.org/vuls/id/BLUU-9XXQ9LThird Party AdvisoryUS Government Resource

FAQ

What is CVE-2015-2890?

CVE-2015-2890 is a vulnerability with a CVSS score of 6.0 (MEDIUM). The BIOS implementation on Dell Latitude, OptiPlex, Precision Mobile Workstation, and Precision Workstation Client Solutions (CS) devices with model-dependent firmware before A21 does not enforce a BI...

How severe is CVE-2015-2890?

CVE-2015-2890 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-2890?

Check the references section above for vendor advisories and patch information. Affected products include: Dell Bios, Dell Latitude E6420 Atg, Dell Latitude E6420 Xfr, Dell Latitude E6220, Dell Latitude Xt3.