CVE-2020-8332

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-8332
A potential vulnerability in the SMI callback function used in the legacy BIOS mode USB drivers in some legacy Lenovo and IBM System x servers may allow arbitrary code execution. Servers operating in UEFI mode are not affected.

6.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
https://support.lenovo.com/us/en/product_security/LEN-38625 Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:lenovo:bladecenter_hs23_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:bladecenter_hs23:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:lenovo:bladecenter_hs23e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:bladecenter_hs23e:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:lenovo:compute_node-x440_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:compute_node-x440:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:lenovo:flex_system_x220_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:flex_system_x220:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:lenovo:flex_system_x240_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:flex_system_x240:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:lenovo:flex_system_x440_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:flex_system_x440:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:lenovo:nextscale_nx360_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:nextscale_nx360_m4:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:lenovo:system_x3300_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3300_m4:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:lenovo:system_x3500_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3500_m4:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:lenovo:system_x3530_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3530_m4:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:lenovo:system_x3550_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3550_m4:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:lenovo:system_x3630_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3630_m4:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:lenovo:system_x3650_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3650_m4:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:lenovo:system_x3650_m4_bd_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3650_m4_bd:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:lenovo:system_x3650_m4_hd_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3650_m4_hd:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:lenovo:system_x3750_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3750_m4:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:lenovo:system_x3750_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:system_x3750_m4:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:lenovo:idataplex_dx360_m4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:idataplex_dx360_m4:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:lenovo:idataplex_dx360_m4_water_cooled_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:idataplex_dx360_m4_water_cooled:-:*:*:*:*:*:*:*
History

No history.

Information

Published : 2020-10-14 22:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-8332

Mitre link : CVE-2020-8332

CVE.ORG link : CVE-2020-8332

JSON object : View

Products Affected

lenovo

  • idataplex_dx360_m4_firmware
  • bladecenter_hs23_firmware
  • system_x3530_m4_firmware
  • bladecenter_hs23
  • flex_system_x240
  • nextscale_nx360_m4_firmware
  • flex_system_x220
  • system_x3500_m4_firmware
  • nextscale_nx360_m4
  • flex_system_x440_firmware
  • system_x3750_m4
  • flex_system_x220_firmware
  • system_x3650_m4_hd
  • bladecenter_hs23e
  • system_x3750_m4_firmware
  • flex_system_x240_firmware
  • system_x3500_m4
  • idataplex_dx360_m4_water_cooled
  • system_x3300_m4
  • system_x3630_m4_firmware
  • system_x3650_m4_firmware
  • flex_system_x440
  • system_x3300_m4_firmware
  • compute_node-x440
  • idataplex_dx360_m4
  • bladecenter_hs23e_firmware
  • system_x3550_m4_firmware
  • system_x3650_m4_bd_firmware
  • idataplex_dx360_m4_water_cooled_firmware
  • system_x3530_m4
  • system_x3650_m4_bd
  • system_x3550_m4
  • system_x3650_m4
  • system_x3650_m4_hd_firmware
  • system_x3630_m4
  • compute_node-x440_firmware
CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition