7.8
CWE
276
Advisory Published
Updated

CVE-2022-3431

First published: Mon Oct 09 2023(Updated: )

A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Credit: psirt@lenovo.com psirt@lenovo.com

Affected SoftwareAffected VersionHow to fix
Lenovo Ideapad Creator 5-16ach6 Firmware<gscn34ww
Lenovo Ideapad Creator 5-16ach6
Lenovo Ideapad 5 Pro-16ihu6 Firmware<grcn22ww
Lenovo Ideapad 5 Pro-16ihu6
Lenovo Ideapad 5 Pro-16ach6 Firmware<gscn34ww
Lenovo Ideapad 5 Pro-16ach6
Lenovo Yoga Slim 7-13itl05 Firmware<f7cn39ww
Lenovo Yoga Slim 7-13itl05
Lenovo Yoga Slim 7-13acn05 Firmware<ghcn28ww
Lenovo Yoga Slim 7-13acn05
Lenovo Yoga Slim 7 Pro 16arh7 Firmware<klcn15ww
Lenovo Yoga Slim 7 Pro 16arh7
Lenovo Yoga Slim 7 Pro 16ach6 Firmware<hucn16ww
Lenovo Yoga Slim 7 Pro 16ach6
Lenovo Yoga Slim 7 Carbon 13itl5 Firmware<f7cn39ww
Lenovo Yoga Slim 7 Carbon 13itl5
Lenovo Yoga Duet 7-13itl6-lte Firmware<gpcn24ww
Lenovo Yoga Duet 7-13itl6-lte
Lenovo Yoga Duet 7-13itl6 Firmware<gpcn24ww
Lenovo Yoga Duet 7-13itl6
Lenovo Yoga Duet 7-13iml05 Firmware<ercn30ww
Lenovo Yoga Duet 7-13iml05
Lenovo Thinkbook Plus G3 Iap Firmware<k6cn29ww
Lenovo Thinkbook Plus G3 Iap
Lenovo Thinkbook Plus G2 Itg Firmware<gycn31ww
Lenovo Thinkbook Plus G2 Itg
Lenovo Thinkbook 16p Nx Arh Firmware<kjcn27ww
Lenovo Thinkbook 16p Nx Arh
Lenovo Thinkbook 16 G4\+ Iap Firmware<hycn40ww
Lenovo Thinkbook 16 G4\+ Iap
Lenovo Thinkbook 16 G4\+ Ara Firmware<j6cn40ww
Lenovo Thinkbook 16 G4\+ Ara
Lenovo Thinkbook 14 G4\+ Iap Firmware<hycn40ww
Lenovo Thinkbook 14 G4\+ Iap
Lenovo Thinkbook 14 G4\+ Ara Firmware<j6cn40ww
Lenovo Thinkbook 14 G4\+ Ara
Lenovo Thinkbook 13x Itg Firmware<hlcn30ww
Lenovo Thinkbook 13x Itg
Lenovo Ideapad Slim 7 Pro 16ach6 Firmware<hucn16ww
Lenovo Ideapad Slim 7 Pro 16ach6
Lenovo S540-15iml Firmware<cncn22ww
Lenovo S540-15iml
Lenovo Slim 7 16arh7 Firmware<klcn15ww
Lenovo Slim 7 16arh7
Lenovo Ideapad Duet 3 10igl5 Firmware<eqcn37ww
Lenovo Ideapad Duet 3 10igl5
Lenovo Ideapad 5 Pro 16arh7 Firmware<j4cn33ww
Lenovo Ideapad 5 Pro 16arh7
Lenovo D330-10igl Firmware<g0cn11ww
Lenovo D330-10igl

Remedy

Update system firmware to the version (or newer) indicated for your model in the product Impact section of LEN-94952

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-3431?

    CVE-2022-3431 is a potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices.

  • How does CVE-2022-3431 affect Lenovo devices?

    CVE-2022-3431 may allow an attacker with elevated privileges to modify secure boot settings by modifying an NVRAM variable.

  • Which Lenovo devices are affected by CVE-2022-3431?

    Some consumer Lenovo Notebook devices are affected by CVE-2022-3431.

  • What is the severity of CVE-2022-3431?

    CVE-2022-3431 has a severity rating of 7.8, which is considered high.

  • How can I fix CVE-2022-3431?

    To fix CVE-2022-3431, Lenovo has released a firmware update. Please refer to the Lenovo Product Security website for more information and to download the update.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203