Strix
26.1K

CVE-2021-3599

MEDIUMCVSS 6.7/10EPSS 0.28%

Last modified

CVE-2021-3599 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.. EPSS estimates a 0.28% chance of exploitation in the next 30 days.

Description

A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Metrics

CVSS 3.1
6.7/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.28%

19.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LenovoThinkpad X380 Yoga Firmware< 2020-10-31
LenovoThinkpad X1 Fold Gen 1 Firmware< 2021-10-29
LenovoThinkpad Yoga 260 Firmware< 2021-10-25
LenovoThinkpad Yoga 11e 3rd Gen Firmware< 2021-10-31
LenovoThinkpad Yoga 15 Firmware< n19et66w
LenovoThinkpad Yoga 370 Firmware< 2021-10-31
LenovoThinkpad X12 Detachable Gen 1 Firmware< 2021-10-31
LenovoThinkpad X390 Firmware< n2jet96w
LenovoThinkpad Yoga 11e 4th Gen Firmware< 2021-10-31
LenovoThinkpad Yoga 11e 5th Gen Firmware< 2021-10-31
LenovoThinkpad X250 Firmware< 2021-10-31
LenovoThinkpad X260 Firmware< 2021-10-31
LenovoThinkpad X390 Yoga Firmware< n2let87w
LenovoThinkpad X280 Firmware< n20et58w
LenovoThinkpad X1 Titanium Firmware< n2met51w
LenovoThinkpad X270 Firmware< 2021-10-29
LenovoThinkpad X1 Carbon 5th Gen Kabylake Firmware< n1met66w
LenovoThinkpad X13 Gen 1 Firmware< n2yet31w
LenovoThinkpad X13 Gen 2 Firmware< n35et41w
LenovoThinkpad X13 Yoga Gen 1 Firmware< n2uet56w
LenovoThinkpad X13 Yoga Gen 2 Firmware< n39et47w
LenovoThinkpad X1 Carbon 5th Gen Skylake Firmware< n1met66w
LenovoThinkpad X1 Yoga 1st Gen Firmware< n1fet76w
LenovoThinkpad X1 Yoga 3rd Gen Firmware< n25et57w
LenovoThinkpad X1 Yoga 4th Gen Firmware< n2het64w
LenovoThinkpad X1 Yoga Gen 5 Firmware< n2wet30w
LenovoThinkpad X1 Carbon 4th Gen Firmware< n1fet76w
LenovoThinkpad 10 Firmware< 2021-10-25
LenovoThinkpad X1 Nano Gen 1 Firmware< n2tet67w
LenovoThinkpad X1 Extreme Firmware< n2eet54w
LenovoThinkpad X1 Extreme 2nd Firmware< n2oet53w
LenovoThinkpad X1 Extreme Gen 3 Firmware< n2vet33w
LenovoThinkpad T460s Firmware< n1cet84w
LenovoThinkpad S2 Gen 6 Firmware< 2021-10-31
LenovoThinkpad X1 Carbon Gen 6 Firmware< n23et78w
LenovoThinkpad X1 Carbon Gen 7 Firmware< n2het64w
LenovoThinkpad X1 Carbon Gen 8 Firmware< n2het64w
LenovoThinkpad T560 Firmware< n1ket52w
LenovoThinkpad T460p Firmware< 2021-10-29
LenovoThinkpad W550s Firmware< n11et54w
LenovoThinkpad T590 Firmware< n2iet96w
LenovoThinkpad T570 Firmware< n1vet57w
LenovoThinkpad S2 Yoga Gen 6 Firmware< 2021-10-31
LenovoThinkpad T480 Firmware< n24et65w
LenovoThinkpad X1 Tablet Firmware< n1let92w
LenovoThinkpad T550 Firmware< n11et54w
LenovoThinkpad X1 Carbon 3rd Gen Firmware< n14et56w
LenovoThinkpad X1 Tablet Gen 2 Firmware< n1oet56w
LenovoThinkpad X1 Tablet Gen 3 Firmware< 2021-10-29
LenovoThinkpad T580 Firmware< n27et43w

Showing 50 of 136 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-3599?
A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
How severe is CVE-2021-3599?
CVE-2021-3599 has a CVSS score of 6.7/10 (MEDIUM severity). The EPSS model estimates a 0.28% probability of exploitation in the next 30 days.
How do I fix CVE-2021-3599?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-3599?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST