CVE-2018-9063 - OpenCVE

MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lenovo	System Update

Configuration 1 [-]

cpe:2.3:a:lenovo:system_update:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/104125
https://support.lenovo.com/us/en/solutions/LEN-19625

History

No history.

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2018-05-04T16:00:00Z

Updated: 2024-09-16T20:12:36.388Z

Reserved: 2018-03-27T00:00:00

Link: CVE-2018-9063

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-05-04T17:29:00.770

Modified: 2018-06-13T15:18:23.373

Link: CVE-2018-9063

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Lenovo System Update", "vendor": "Lenovo Group Ltd.", "versions": [{"status": "affected", "version": "Earlier than 5.07.0072"}]}], "datePublic": "2018-05-03T00:00:00", "descriptions": [{"lang": "en", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."}], "problemTypes": [{"descriptions": [{"description": "Buffer overflow", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-10T09:57:01", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"name": "104125", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104125"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "DATE_PUBLIC": "2018-05-03T00:00:00", "ID": "CVE-2018-9063", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Lenovo System Update", "version": {"version_data": [{"version_value": "Earlier than 5.07.0072"}]}}]}, "vendor_name": "Lenovo Group Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Buffer overflow"}]}]}, "references": {"reference_data": [{"name": "104125", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104125"}, {"name": "https://support.lenovo.com/us/en/solutions/LEN-19625", "refsource": "CONFIRM", "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:10:47.364Z"}, "title": "CVE Program Container", "references": [{"name": "104125", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104125"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}]}]}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2018-9063", "datePublished": "2018-05-04T16:00:00Z", "dateReserved": "2018-03-27T00:00:00", "dateUpdated": "2024-09-16T20:12:36.388Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:system_update:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F65FD54-263E-49DD-B6E9-362F33B85C8A", "versionEndExcluding": "5.07.0072", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."}, {"lang": "es", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) en Lenovo System Update, en versiones anteriores a la 5.07.0072, contiene una vulnerabilidad local en la que un atacant que introduzca un ID de usuario o una contrase\u00f1a muy largas puede desbordar el b\u00fafer del programa, provocando comportamientos indefinidos como la ejecuci\u00f3n de c\u00f3digo arbitrario. No se otorgan m\u00e1s privilegios al atacante m\u00e1s all\u00e1 de los que ya se poseen para ejecutar MapDrv."}], "id": "CVE-2018-9063", "lastModified": "2018-06-13T15:18:23.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-04T17:29:00.770", "references": [{"source": "psirt@lenovo.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104125"}, {"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}