Strix
26.1K

CVE-2021-3971

MEDIUMCVSS 6.7/10EPSS 1.29%

Last modified

CVE-2021-3971 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.. EPSS estimates a 1.29% chance of exploitation in the next 30 days.

Description

A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.

Metrics

CVSS 3.1
6.7/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
1.29%

66.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LenovoIdeapad 3-14ada05 Firmware< e8cn33ww
LenovoIdeapad 3-14ada6 Firmware< hbcn21ww
LenovoIdeapad 3-14alc6 Firmware< glcn43ww
LenovoIdeapad 3-14are05 Firmware< dzcn42ww
LenovoIdeapad 3-15ada6 Firmware< hbcn21ww
LenovoIdeapad 3-15alc6 Firmware< glcn43ww
LenovoIdeapad 3-15are05 Firmware< dzcn42ww
LenovoIdeapad 3-15igl05 Firmware< dvcn23ww
LenovoIdeapad 3-17ada05 Firmware< e8cn33ww
LenovoIdeapad 3-17ada6 Firmware< hbcn21ww
LenovoIdeapad 3-17alc6 Firmware< glcn43ww
LenovoIdeapad 3-17are05 Firmware< dzcn42ww
LenovoIdeapad 3-17iil05 Firmware< emcn52ww
LenovoIdeapad 3-15ada05 Firmware< e8cn33ww
LenovoL3-15itl6 Firmware< gfcn23ww
LenovoL340-15irh Firmware< bgcn35ww
LenovoL340-15iwl Firmware< atcn46ww
LenovoL340-15iwl Touch Firmware< atcn46ww
LenovoL340-17irh Firmware< bgcn35ww
LenovoL340-17iwl Firmware< atcn46ww
LenovoLegion 5 Pro-16ach6 Firmware< hhcn25ww
LenovoLegion 5 Pro-16ach6h Firmware< gkcn51ww
LenovoLegion 5 Pro-16ith6 Firmware< h1cn46ww
LenovoLegion 5 Pro-16ith6h Firmware< h1cn46ww
LenovoLegion 5-15ach6 Firmware< hhcn25ww
LenovoLegion 5-15ach6a Firmware< g9cn28ww
LenovoLegion 5-15ach6h Firmware< gkcn51ww
LenovoLegion 5-15ith6 Firmware< h1cn46ww
LenovoLegion 5-15ith6h Firmware< h1cn46ww
LenovoLegion 5-17ach6 Firmware< hhcn25ww
LenovoLegion 5-17ach6h Firmware< gkcn51ww
LenovoLegion 5-17ith6 Firmware< h1cn46ww
LenovoLegion 5-17ith6h Firmware< h1cn46ww
LenovoLegion 7-16achg6 Firmware< gkcn51ww
LenovoLegion 7-16ithg6 Firmware< gkcn51ww
LenovoLegion Y540-15irh Firmware< bhcn44ww
LenovoLegion Y540-15irh-Pg0 Firmware< bhcn44ww
LenovoLegion Y540-17irh Firmware< bhcn44ww
LenovoLegion Y540-17irh-Pg0 Firmware< bhcn44ww
LenovoLegion Y545 Firmware< bhcn44ww
LenovoLegion Y545-Pg0 Firmware< bhcn44ww
LenovoLegion Y7000-2019 Firmware< bhcn44ww
LenovoLegion Y7000-2019-Pg0 Firmware< bhcn44ww
LenovoS145-14api Firmware< bucn31ww
LenovoS145-14ast Firmware< aycn26ww
LenovoS145-14igm Firmware< awcn28ww
LenovoS145-14iil Firmware< dkcn54ww
LenovoS145-15api Firmware< bucn31ww
LenovoS145-15ast Firmware< aycn26ww
LenovoS145-15igm Firmware< awcn28ww

Showing 50 of 73 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-3971?
A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
How severe is CVE-2021-3971?
CVE-2021-3971 has a CVSS score of 6.7/10 (MEDIUM severity). The EPSS model estimates a 1.29% probability of exploitation in the next 30 days.
How do I fix CVE-2021-3971?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-3971?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST