CVE-2021-3599 — MEDIUM (6.7)

Q: What is CVE-2021-3599?

CVE-2021-3599 is a vulnerability with a CVSS score of 6.7 (MEDIUM). A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Q: How severe is CVE-2021-3599?

CVE-2021-3599 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3599?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Thinkpad X380 Yoga Firmware, Lenovo Thinkpad X380 Yoga, Lenovo Thinkpad X1 Fold Gen 1 Firmware, Lenovo Thinkpad X1 Fold Gen 1, Lenovo Thinkpad Yoga 260 Firmware.

Vulnerability Description

A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lenovo	Thinkpad X380 Yoga Firmware	< 2020-10-31
Lenovo	Thinkpad X380 Yoga	-
Lenovo	Thinkpad X1 Fold Gen 1 Firmware	< 2021-10-29
Lenovo	Thinkpad X1 Fold Gen 1	-
Lenovo	Thinkpad Yoga 260 Firmware	< 2021-10-25
Lenovo	Thinkpad Yoga 260	-
Lenovo	Thinkpad Yoga 11E 3Rd Gen Firmware	< 2021-10-31
Lenovo	Thinkpad Yoga 11E 3Rd Gen	-
Lenovo	Thinkpad Yoga 15 Firmware	< n19et66w
Lenovo	Thinkpad Yoga 15	-
Lenovo	Thinkpad Yoga 370 Firmware	< 2021-10-31
Lenovo	Thinkpad Yoga 370	-
Lenovo	Thinkpad X12 Detachable Gen 1 Firmware	< 2021-10-31
Lenovo	Thinkpad X12 Detachable Gen 1	-
Lenovo	Thinkpad X390 Firmware	< n2jet96w
Lenovo	Thinkpad X390	-
Lenovo	Thinkpad Yoga 11E 4Th Gen Firmware	< 2021-10-31
Lenovo	Thinkpad Yoga 11E 4Th Gen	-
Lenovo	Thinkpad Yoga 11E 5Th Gen Firmware	< 2021-10-31
Lenovo	Thinkpad Yoga 11E 5Th Gen	-

Related Weaknesses (CWE)

CWE-20

References

https://support.lenovo.com/us/en/product_security/LEN-67440PatchVendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-67440PatchVendor Advisory

FAQ

What is CVE-2021-3599?

CVE-2021-3599 is a vulnerability with a CVSS score of 6.7 (MEDIUM). A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

How severe is CVE-2021-3599?

CVE-2021-3599 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3599?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Thinkpad X380 Yoga Firmware, Lenovo Thinkpad X380 Yoga, Lenovo Thinkpad X1 Fold Gen 1 Firmware, Lenovo Thinkpad X1 Fold Gen 1, Lenovo Thinkpad Yoga 260 Firmware.