Strix
26.1K

CVE-2021-3972

MEDIUMCVSS 6.7/10EPSS 2.97%

Last modified

CVE-2021-3972 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.. EPSS estimates a 2.97% chance of exploitation in the next 30 days.

Description

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Metrics

CVSS 3.1
6.7/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
2.97%

85.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LenovoIdeapad 3-14ada05 Firmware< e8cn33ww
LenovoIdeapad 3-14ada6 Firmware< hbcn21ww
LenovoIdeapad 3-14alc6 Firmware< glcn43ww
LenovoIdeapad 3-14are05 Firmware< dzcn42ww
LenovoIdeapad 3-15ada6 Firmware< hbcn21ww
LenovoIdeapad 3-15alc6 Firmware< glcn43ww
LenovoIdeapad 3-15are05 Firmware< dzcn42ww
LenovoIdeapad 3-15igl05 Firmware< dvcn23ww
LenovoIdeapad 3-17ada05 Firmware< e8cn33ww
LenovoIdeapad 3-17ada6 Firmware< hbcn21ww
LenovoIdeapad 3-17alc6 Firmware< glcn43ww
LenovoIdeapad 3-17are05 Firmware< dzcn42ww
LenovoIdeapad 3-17iil05 Firmware< emcn52ww
LenovoIdeapad 3-17itl6 Firmware< ggcn33ww
LenovoIdeapad 3-15ada05 Firmware< e8cn33ww
LenovoL3 15iml05 Firmware< ejcn27ww
LenovoL3-15itl6 Firmware< gfcn23ww
LenovoL340-15irh Firmware< bgcn35ww
LenovoL340-15iwl Firmware< atcn46ww
LenovoL340-15iwl Touch Firmware< atcn46ww
LenovoL340-17irh Firmware< bgcn35ww
LenovoL340-17iwl Firmware< atcn46ww
LenovoLegion 5 Pro-16ach6 Firmware< hhcn25ww
LenovoLegion 5 Pro-16ach6h Firmware< gkcn51ww
LenovoLegion 5 Pro-16ith6 Firmware< h1cn46ww
LenovoLegion 5 Pro-16ith6h Firmware< h1cn46ww
LenovoLegion 5-15ach6 Firmware< hhcn25ww
LenovoLegion 5-15ach6a Firmware< g9cn28ww
LenovoLegion 5-15ach6h Firmware< gkcn51ww
LenovoLegion 5-15imh6 Firmware< g8cn19ww
LenovoLegion 5-15ith6 Firmware< h1cn46ww
LenovoLegion 5-15ith6h Firmware< h1cn46ww
LenovoLegion 5-17ach6 Firmware< hhcn25ww
LenovoLegion 5-17ach6h Firmware< gkcn51ww
LenovoLegion 5-17ith6 Firmware< h1cn46ww
LenovoLegion 5-17ith6h Firmware< h1cn46ww
LenovoLegion 7-16achg6 Firmware< gkcn51ww
LenovoLegion 7-16ithg6 Firmware< gkcn51ww
LenovoLegion S7-15ach6 Firmware< hacn35ww
LenovoLegion Y540-15irh Firmware< bhcn44ww
LenovoLegion Y540-15irh-Pg0 Firmware< bhcn44ww
LenovoLegion Y540-17irh Firmware< bhcn44ww
LenovoLegion Y540-17irh-Pg0 Firmware< bhcn44ww
LenovoLegion Y545 Firmware< bhcn44ww
LenovoLegion Y545-Pg0 Firmware< bhcn44ww
LenovoLegion Y7000-2019 Firmware< bhcn44ww
LenovoLegion Y7000-2019-Pg0 Firmware< bhcn44ww
LenovoS14 G2 Itl Firmware< ggcn33ww
LenovoS145-14api Firmware< bucn31ww
LenovoS145-14ast Firmware< aycn26ww

Showing 50 of 105 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-3972?
A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
How severe is CVE-2021-3972?
CVE-2021-3972 has a CVSS score of 6.7/10 (MEDIUM severity). The EPSS model estimates a 2.97% probability of exploitation in the next 30 days.
How do I fix CVE-2021-3972?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-3972?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST