Strix
26.1K

CVE-2019-18619

HIGHCVSS 7.8/10EPSS 0.47%

Last modified

CVE-2019-18619 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. Incorrect parameter validation in the synaTee component of Synaptics WBF drivers using an SGX enclave (all versions prior to 2019-11-15) allows a local user to execute arbitrary code in the enclave (that can compromise confidentiality of enclave data) via APIs that accept invalid pointers.. EPSS estimates a 0.47% chance of exploitation in the next 30 days.

Description

Incorrect parameter validation in the synaTee component of Synaptics WBF drivers using an SGX enclave (all versions prior to 2019-11-15) allows a local user to execute arbitrary code in the enclave (that can compromise confidentiality of enclave data) via APIs that accept invalid pointers.

Metrics

CVSS 3.1
7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.47%

37.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SynapticsVfs75xx Firmware5.2.225.26
SynapticsVfs75xx Firmware5.2.318.26
SynapticsVfs75xx Firmware5.2.524.26
SynapticsVfs75xx Firmware5.2.3530.26
SynapticsVfs75xx Firmware5.3.3539.26
SynapticsVfs75xx Firmware5.5.3.1116
SynapticsVfs75xx Firmware5.5.8.1096
SynapticsVfs75xx Firmware5.5.10.1093
SynapticsVfs75xx Firmware5.5.11.1106
SynapticsVfs75xx Firmware5.5.15.1102
SynapticsVfs75xx Firmware5.5.38.1058
SynapticsVfs75xx Firmware5.5.2734.1050
SynapticsVfs75xx Firmware5.5.2811.1050
SynapticsVfs75xx Firmware5.6.23.1000
SynapticsVfs75xx Firmware6.0.14.1108
SynapticsVfs75xx Firmware6.0.32.1104
SynapticsVfs75xx Firmware6.0.42.1107
LenovoThinkpad 25 Firmware< 5.2.3540.26
LenovoThankpad A475 Firmware< 5.02.3539.0026
LenovoThankpad A485 Firmware< 5.03.3542.0026
LenovoThinkpad E480 Firmware< 5.2.321.26
LenovoThinkpad E580 Firmware< 5.2.321.26
LenovoThinkpad E485 Firmware< 5.2.321.26
LenovoThinkpad E585 Firmware< 5.2.321.26
LenovoThinkpad E490s Firmware< 5.2.321.26
LenovoThinkpad S3 Firmware< 5.2.321.26
LenovoThinkpad E490 Firmware< 5.2.321.26
LenovoThinkpad E590 Firmware< 5.2.321.26
LenovoThinkpad R490 Firmware< 5.2.321.26
LenovoThinkpad R590 Firmware< 5.2.321.26
LenovoThinkpad L480 Firmware< 5.3.3542.26
LenovoThinkpad L580 Firmware< 5.3.3542.26
LenovoThinkpad P1 Firmware< 5.3.3542.26
LenovoThinkpad P1 Gen 2 Firmware< 6.0.36.1105
LenovoThinkpad X1 Extreme 2nd Firmware< 6.0.36.1105
LenovoThinkpad P43s Firmware< 6.0.36.1105
LenovoThinkpad P50 Firmware< 5.1.338.26
LenovoThinkpad P51 Firmware< 5.2.3540.26
LenovoThinkpad P51s \(20jx\) Firmware< 5.2.3540.26
LenovoThinkpad P51s \(20kx\) Firmware< 5.2.3540.26
LenovoThinkpad P51s \(20hx\) Firmware< 5.2.3540.26
LenovoThinkpad P52 Firmware< 5.2.3540.26
LenovoThinkpad P52s Firmware< 5.3.3542.26
LenovoThinkpad P53 Firmware< 6.0.36.1105
LenovoThinkpad P53s Firmware< 6.0.36.1105
LenovoThinkpad P70 Firmware< 5.1.338.26
LenovoThinkpad P71 \(20hx\) Firmware< 5.2.3540.26
LenovoThinkpad P72 Firmware< 5.3.3542.26
LenovoThinkpad P73 Firmware< 5.3.3542.26
LenovoThinkpad T25 \(20k7\) Firmware< 5.2.3540.26

Showing 50 of 128 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-18619?
Incorrect parameter validation in the synaTee component of Synaptics WBF drivers using an SGX enclave (all versions prior to 2019-11-15) allows a local user to execute arbitrary code in the enclave (that can compromise confidentiality of enclave data) via APIs that accept invalid pointers.
How severe is CVE-2019-18619?
CVE-2019-18619 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.
How do I fix CVE-2019-18619?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-18619?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST