CVE-2023-4028
MEDIUMCVSS 6.7/10EPSS 0.18%
Last modified
CVE-2023-4028 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code.. EPSS estimates a 0.18% chance of exploitation in the next 30 days.
Description
A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code.
Metrics
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lenovo | 13w Yoga Firmware | < jacn38ww |
| Lenovo | 13w Yoga Gen 2 Firmware | < kbcn20ww |
| Lenovo | Ideapad 1-11ada05 Firmware | < fqcn29ww |
| Lenovo | Ideapad 1-11igl05 Firmware | < dwcn28ww |
| Lenovo | Ideapad 1-14ada05 Firmware | < fqcn29ww |
| Lenovo | Ideapad 1-14igl05 Firmware | < dwcn28ww |
| Lenovo | Flex 5-14alc05 Firmware | < gjcn32ww |
| Lenovo | Flex 5-14are05 Firmware | < eecn43ww |
| Lenovo | Flex 5-14iil05 Firmware | < eccn45ww |
| Lenovo | Flex 5-14itl05 Firmware | < fxcn44ww |
| Lenovo | Flex 5-15alc05 Firmware | < gjcn32ww |
| Lenovo | Flex 5-15iil05 Firmware | < eccn45ww |
| Lenovo | Flex 5-15itl05 Firmware | < fxcn44ww |
| Lenovo | Ideapad Flex 5 14abr8 Firmware | < l7cn17ww |
| Lenovo | Ideapad Flex 5 14alc7 Firmware | < jccn35ww |
| Lenovo | Ideapad Flex 5 14iau7 Firmware | < j7cn44ww |
| Lenovo | Ideapad Flex 5 14iru8 Firmware | < l6cn20ww |
| Lenovo | Ideapad Flex 5 16abr8 Firmware | < l7cn17ww |
| Lenovo | Ideapad Flex 5 16alc7 Firmware | < jccn35ww |
| Lenovo | Ideapad Flex 5 16iau7 Firmware | < j7cn44ww |
| Lenovo | Ideapad Flex 5 16iru8 Firmware | < l6cn20ww |
| Lenovo | Flex 7 14iru8 Firmware | < l6cn20ww |
| Lenovo | Thinkbook 13s G2 Are Firmware | < fvcn28ww |
| Lenovo | Thinkbook 13s G2 Itl Firmware | < f9cn57ww |
| Lenovo | Thinkbook 13s G3 Acn Firmware | < gmcn35ww |
| Lenovo | Thinkbook 13s G4 Iap Firmware | < hwcn49ww |
| Lenovo | Thinkbook 13x G2 Iap Firmware | < hxcn54ww |
| Lenovo | Thinkbook 14s G2 Itl Firmware | < f9cn57ww |
| Lenovo | Yoga 9-15imh5 Firmware | < epcn32ww |
References
- https://support.lenovo.com/us/en/product_security/LEN-134879Vendor Advisory
- https://support.lenovo.com/us/en/product_security/LEN-134879Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-4028?
A buffer overflow has been identified in the SystemUserMasterHddPwdDxe driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code.
How severe is CVE-2023-4028?
CVE-2023-4028 has a CVSS score of 6.7/10 (MEDIUM severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.
How do I fix CVE-2023-4028?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2023-4028?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST