CVE-2022-4575 - Vulnerability Details

A vulnerability due to improper write protection of UEFI variables was reported in the BIOS of some ThinkPad models could allow an attacker with physical or local access and elevated privileges the ability to bypass Secure Boot.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Lenovo

ThinkPad BIOS

unaffected

Version	Status	Constraints
`various`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:thinkpad_25_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_25:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:thinkpad_l560_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_l560:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:lenovo:thinkpad_p50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_p50:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:lenovo:thinkpad_p50s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_p50s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:lenovo:thinkpad_p70_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_p70:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:lenovo:thinkpad_t470_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_t470:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:lenovo:thinkpad_t470s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_t470s:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:lenovo:thinkpad_t560_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_t560:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:lenovo:thinkpad_x1_carbon_4th_gen_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_x1_carbon_4th_gen:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:lenovo:thinkpad_x1_yoga_1st_gen_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_x1_yoga_1st_gen:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:lenovo:thinkpad_x260_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_x260:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:lenovo:thinkpad_x270_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_x270:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:lenovo:thinkpad_yoga_260_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkpad_yoga_260:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Lenovo Subscribe	Thinkpad 25 Subscribe Thinkpad 25 Firmware Subscribe Thinkpad L560 Subscribe Thinkpad L560 Firmware Subscribe Thinkpad P50 Subscribe Thinkpad P50 Firmware Subscribe Thinkpad P50s Subscribe Thinkpad P50s Firmware Subscribe Thinkpad P70 Subscribe Thinkpad P70 Firmware Subscribe Thinkpad T470 Subscribe Thinkpad T470 Firmware Subscribe Thinkpad T470s Subscribe Thinkpad T470s Firmware Subscribe Thinkpad T560 Subscribe Thinkpad T560 Firmware Subscribe Thinkpad X1 Carbon 4th Gen Subscribe Thinkpad X1 Carbon 4th Gen Firmware Subscribe Thinkpad X1 Yoga 1st Gen Subscribe Thinkpad X1 Yoga 1st Gen Firmware Subscribe Thinkpad X260 Subscribe Thinkpad X260 Firmware Subscribe Thinkpad X270 Subscribe Thinkpad X270 Firmware Subscribe Thinkpad Yoga 260 Subscribe Thinkpad Yoga 260 Firmware Subscribe

Advisories

No advisories yet.

Fixes

Solution

Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-106014.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.lenovo.com/us/en/product_security/LEN-106014

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2023-10-30T14:42:29.795Z

Updated: 2024-08-03T01:41:45.637Z

Reserved: 2022-12-16T21:26:17.285Z

Link: CVE-2022-4575

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-10-30T15:15:40.493

Modified: 2024-11-21T07:35:31.517

Link: CVE-2022-4575

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-276

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object