CWE
693
Advisory Published
Updated

CVE-2021-3453

First published: Fri Jul 16 2021(Updated: )

Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage.

Credit: psirt@lenovo.com

Affected SoftwareAffected VersionHow to fix
Lenovo Thinkpad Helix Firmware=n17etb4w
Lenovo Thinkpad Helix
Lenovo Thinkpad T550 Firmware=n11et53w
Lenovo Thinkpad T550
Lenovo Thinkpad W550s Firmware=n11et53w
Lenovo Thinkpad W550s
Lenovo Thinkpad X1 Carbon 3rd Gen Firmware=n14et55w
Lenovo Thinkpad X1 Carbon 3rd Gen
Lenovo Thinkpad X250 Firmware=n10et62w
Lenovo Thinkpad X250
Lenovo Thinkpad Yoga 15 Firmware=n19et65w
Lenovo Thinkpad Yoga 15
Lenovo 730s-13iml Firmware
Lenovo 730s-13iml
Lenovo Ideapad 1-11igl05 Firmware
Lenovo Ideapad 1-11igl05
Lenovo Ideapad 1-14igl05 Firmware
Lenovo Ideapad 1-14igl05
Lenovo Ideapad S940-14iil Firmware
Lenovo Ideapad S940-14iil
Lenovo Ideapad S940-14iwl Firmware
Lenovo Ideapad S940-14iwl
Lenovo Ideapad Slim 1-11ast-05 Firmware
Lenovo Ideapad Slim 1-11ast-05
Lenovo Ideapad Slim 1-14ast-05 Firmware
Lenovo Ideapad Slim 1-14ast-05
Lenovo V130-15igm Firmware
Lenovo V130-15igm
Lenovo V330-15ikb Firmware
Lenovo V330-15ikb
Lenovo V330-15isk Firmware
Lenovo V330-15isk
Lenovo Yoga S730-13iml Firmware
Lenovo Yoga S730-13iml
Lenovo Yoga S940-14iil Firmware
Lenovo Yoga S940-14iil
Lenovo Yoga S940-14iwl Firmware
Lenovo Yoga S940-14iwl
Lenovo Ideacentre Aio 5-24imb05 Firmware<2021-09-30
Lenovo Ideacentre Aio 5-24imb05
Lenovo Ideacentre Aio 5-74imb05 Firmware<2021-09-30
Lenovo Ideacentre Aio 5-74imb05

Remedy

Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-65529.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2021-3453?

    CVE-2021-3453 is a vulnerability found in some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems that allows an attacker with physical access to write to the SPI flash storage.

  • How severe is CVE-2021-3453?

    CVE-2021-3453 has a severity rating of 4.6, which is considered medium.

  • Which Lenovo systems are affected by CVE-2021-3453?

    Lenovo ThinkPad Helix, Lenovo ThinkPad T550, Lenovo ThinkPad W550s, Lenovo ThinkPad X1 Carbon 3rd Gen, Lenovo ThinkPad X250, Lenovo ThinkPad Yoga 15, Lenovo 730s-13iml, Lenovo Ideapad 1-11igl05, Lenovo Ideapad 1-14igl05, Lenovo Ideapad S940-14iil, Lenovo Ideapad S940-14iwl, Lenovo Ideapad Slim 1-11ast-05, Lenovo Ideapad Slim 1-14ast-05, Lenovo V130-15igm, Lenovo V330-15ikb, Lenovo V330-15isk, Lenovo Yoga S730-13iml, Lenovo Yoga S940-14iil, Lenovo Yoga S940-14iwl, Lenovo Ideacentre Aio 5-24imb05, and Lenovo Ideacentre Aio 5-74imb05 are affected by CVE-2021-3453.

  • How can an attacker exploit CVE-2021-3453?

    An attacker with physical access to the affected systems can exploit CVE-2021-3453 by writing to the SPI flash storage.

  • Where can I find more information about CVE-2021-3453?

    You can find more information about CVE-2021-3453 on the Lenovo product security website: https://support.lenovo.com/us/en/product_security/LEN-65529

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203