CVE-2019-18618 — MEDIUM (6.0)

Q: How severe is CVE-2019-18618?

CVE-2019-18618 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-18618?

Check the references section above for vendor advisories and patch information. Affected products include: Synaptics Vfs75Xx Firmware, Synaptics Vfs75Xx, Lenovo Thinkpad 25 Firmware, Lenovo Thinkpad 25, Lenovo Thankpad A475 Firmware.

Vulnerability Description

Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table.

CVSS Score

6.0

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Synaptics	Vfs75Xx Firmware	5.1.5.51
Synaptics	Vfs75Xx	-
Lenovo	Thinkpad 25 Firmware	< 5.2.3540.26
Lenovo	Thinkpad 25	-
Lenovo	Thankpad A475 Firmware	< 5.02.3539.0026
Lenovo	Thankpad A475	-
Lenovo	Thankpad A485 Firmware	< 5.03.3542.0026
Lenovo	Thankpad A485	-
Lenovo	Thinkpad E480 Firmware	< 5.2.321.26
Lenovo	Thinkpad E480	-
Lenovo	Thinkpad E580 Firmware	< 5.2.321.26
Lenovo	Thinkpad E580	-
Lenovo	Thinkpad E485 Firmware	< 5.2.321.26
Lenovo	Thinkpad E485	-
Lenovo	Thinkpad E585 Firmware	< 5.2.321.26
Lenovo	Thinkpad E585	-
Lenovo	Thinkpad E490S Firmware	< 5.2.321.26
Lenovo	Thinkpad E490S	-
Lenovo	Thinkpad S3 Firmware	< 5.2.321.26
Lenovo	Thinkpad S3	-

References

https://support.hp.com/us-en/document/c06696474PatchThird Party Advisory
https://support.lenovo.com/us/en/product_security/LEN-31372PatchThird Party Advisory
https://www.synaptics.com/company/blog/Vendor Advisory
https://www.synaptics.com/sites/default/files/fingerprint-sensor-VFS7500-securitVendor Advisory
https://support.hp.com/us-en/document/c06696474PatchThird Party Advisory
https://support.lenovo.com/us/en/product_security/LEN-31372PatchThird Party Advisory
https://www.synaptics.com/company/blog/Vendor Advisory
https://www.synaptics.com/sites/default/files/fingerprint-sensor-VFS7500-securitVendor Advisory

FAQ

What is CVE-2019-18618?

CVE-2019-18618 is a vulnerability with a CVSS score of 6.0 (MEDIUM). Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacke...

How severe is CVE-2019-18618?

CVE-2019-18618 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18618?

Check the references section above for vendor advisories and patch information. Affected products include: Synaptics Vfs75Xx Firmware, Synaptics Vfs75Xx, Lenovo Thinkpad 25 Firmware, Lenovo Thinkpad 25, Lenovo Thankpad A475 Firmware.