Strix
26.1K

CVE-2019-18618

MEDIUMCVSS 6/10EPSS 0.48%

Last modified

CVE-2019-18618 is a medium-severity vulnerability rated 6/10 on the CVSS scale. Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table.. EPSS estimates a 0.48% chance of exploitation in the next 30 days.

Description

Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table.

Metrics

CVSS 3.1
6/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Probability
0.48%

38.0th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
SynapticsVfs75xx Firmware5.1.5.51
SynapticsVfs75xx Firmware5.1.337.26
SynapticsVfs75xx Firmware5.1.3507.26
SynapticsVfs75xx Firmware5.2.320.26
SynapticsVfs75xx Firmware5.2.524.26
SynapticsVfs75xx Firmware5.2.3109.26
SynapticsVfs75xx Firmware5.2.3530.26
SynapticsVfs75xx Firmware5.2.5024.26
SynapticsVfs75xx Firmware5.3.3541.26
SynapticsVfs75xx Firmware5.5.4.1116
SynapticsVfs75xx Firmware5.5.8.1092
SynapticsVfs75xx Firmware5.5.10.1100
SynapticsVfs75xx Firmware5.5.10.1106
SynapticsVfs75xx Firmware5.5.17.1099
SynapticsVfs75xx Firmware5.5.17.1102
SynapticsVfs75xx Firmware5.5.35.1058
SynapticsVfs75xx Firmware5.5.502.79
SynapticsVfs75xx Firmware5.5.512.1051
SynapticsVfs75xx Firmware5.5.2734.1050
SynapticsVfs75xx Firmware5.5.2810.1050
LenovoThinkpad 25 Firmware< 5.2.3540.26
LenovoThankpad A475 Firmware< 5.02.3539.0026
LenovoThankpad A485 Firmware< 5.03.3542.0026
LenovoThinkpad E480 Firmware< 5.2.321.26
LenovoThinkpad E580 Firmware< 5.2.321.26
LenovoThinkpad E485 Firmware< 5.2.321.26
LenovoThinkpad E585 Firmware< 5.2.321.26
LenovoThinkpad E490s Firmware< 5.2.321.26
LenovoThinkpad S3 Firmware< 5.2.321.26
LenovoThinkpad E490 Firmware< 5.2.321.26
LenovoThinkpad E590 Firmware< 5.2.321.26
LenovoThinkpad R490 Firmware< 5.2.321.26
LenovoThinkpad R590 Firmware< 5.2.321.26
LenovoThinkpad L480 Firmware< 5.3.3542.26
LenovoThinkpad L580 Firmware< 5.3.3542.26
LenovoThinkpad P1 Firmware< 5.3.3542.26
LenovoThinkpad P1 Gen 2 Firmware< 6.0.36.1105
LenovoThinkpad X1 Extreme 2nd Firmware< 6.0.36.1105
LenovoThinkpad P43s Firmware< 6.0.36.1105
LenovoThinkpad P50 Firmware< 5.1.338.26
LenovoThinkpad P51 Firmware< 5.2.3540.26
LenovoThinkpad P51s \(20jx\) Firmware< 5.2.3540.26
LenovoThinkpad P51s \(20kx\) Firmware< 5.2.3540.26
LenovoThinkpad P51s \(20hx\) Firmware< 5.2.3540.26
LenovoThinkpad P52 Firmware< 5.2.3540.26
LenovoThinkpad P52s Firmware< 5.3.3542.26
LenovoThinkpad P53 Firmware< 6.0.36.1105
LenovoThinkpad P53s Firmware< 6.0.36.1105
LenovoThinkpad P70 Firmware< 5.1.338.26
LenovoThinkpad P71 \(20hx\) Firmware< 5.2.3540.26

Showing 50 of 152 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-18618?
Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table.
How severe is CVE-2019-18618?
CVE-2019-18618 has a CVSS score of 6/10 (MEDIUM severity). The EPSS model estimates a 0.48% probability of exploitation in the next 30 days.
How do I fix CVE-2019-18618?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-18618?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST