CVE-2019-18619 — HIGH (7.8)

Q: How severe is CVE-2019-18619?

CVE-2019-18619 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-18619?

Check the references section above for vendor advisories and patch information. Affected products include: Synaptics Vfs75Xx Firmware, Synaptics Vfs75Xx, Lenovo Thinkpad 25 Firmware, Lenovo Thinkpad 25, Lenovo Thankpad A475 Firmware.

Vulnerability Description

Incorrect parameter validation in the synaTee component of Synaptics WBF drivers using an SGX enclave (all versions prior to 2019-11-15) allows a local user to execute arbitrary code in the enclave (that can compromise confidentiality of enclave data) via APIs that accept invalid pointers.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Synaptics	Vfs75Xx Firmware	5.2.225.26
Synaptics	Vfs75Xx	-
Lenovo	Thinkpad 25 Firmware	< 5.2.3540.26
Lenovo	Thinkpad 25	-
Lenovo	Thankpad A475 Firmware	< 5.02.3539.0026
Lenovo	Thankpad A475	-
Lenovo	Thankpad A485 Firmware	< 5.03.3542.0026
Lenovo	Thankpad A485	-
Lenovo	Thinkpad E480 Firmware	< 5.2.321.26
Lenovo	Thinkpad E480	-
Lenovo	Thinkpad E580 Firmware	< 5.2.321.26
Lenovo	Thinkpad E580	-
Lenovo	Thinkpad E485 Firmware	< 5.2.321.26
Lenovo	Thinkpad E485	-
Lenovo	Thinkpad E585 Firmware	< 5.2.321.26
Lenovo	Thinkpad E585	-
Lenovo	Thinkpad E490S Firmware	< 5.2.321.26
Lenovo	Thinkpad E490S	-
Lenovo	Thinkpad S3 Firmware	< 5.2.321.26
Lenovo	Thinkpad S3	-

Related Weaknesses (CWE)

CWE-763

References

https://support.hp.com/hk-en/document/c06696568PatchThird Party Advisory
https://support.lenovo.com/us/en/product_security/LEN-31372PatchThird Party Advisory
https://www.synaptics.com/company/blog/Vendor Advisory
https://www.synaptics.com/sites/default/files/fingerprint-driver-SGX-security-brVendor Advisory
https://www.syssec.wiwi.uni-due.de/en/research/research-projects/analysis-of-teeVendor Advisory
https://support.hp.com/hk-en/document/c06696568PatchThird Party Advisory
https://support.lenovo.com/us/en/product_security/LEN-31372PatchThird Party Advisory
https://www.synaptics.com/company/blog/Vendor Advisory
https://www.synaptics.com/sites/default/files/fingerprint-driver-SGX-security-brVendor Advisory
https://www.syssec.wiwi.uni-due.de/en/research/research-projects/analysis-of-teeVendor Advisory

FAQ

What is CVE-2019-18619?

CVE-2019-18619 is a vulnerability with a CVSS score of 7.8 (HIGH). Incorrect parameter validation in the synaTee component of Synaptics WBF drivers using an SGX enclave (all versions prior to 2019-11-15) allows a local user to execute arbitrary code in the enclave (t...

How severe is CVE-2019-18619?

CVE-2019-18619 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18619?

Check the references section above for vendor advisories and patch information. Affected products include: Synaptics Vfs75Xx Firmware, Synaptics Vfs75Xx, Lenovo Thinkpad 25 Firmware, Lenovo Thinkpad 25, Lenovo Thankpad A475 Firmware.