Vulnerability Details : CVE-2015-2233
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 does not properly validate CA chains during signature validation, which allows man-in-the-middle attackers to upload and execute arbitrary files via a crafted certificate.
Products affected by CVE-2015-2233
- cpe:2.3:a:lenovo:system_update:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2233
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2233
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.3
|
HIGH | AV:A/AC:L/Au:N/C:C/I:C/A:C |
6.5
|
10.0
|
NIST |
CWE ids for CVE-2015-2233
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2233
-
http://www.securityfocus.com/bid/74642
Lenovo System Update CVE-2015-2233 Certificate Validation Security Bypass Vulnerability
-
http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf
-
http://securitytracker.com/id/1032268
Lenovo System Update Lets Local Users Gain System Privileges and Remote Users Bypass Certificate Validation - SecurityTracker
-
http://support.lenovo.com/us/en/product_security/lsu_privilege
LEN-2015-011: Lenovo System Update Privilege Escalation - USVendor Advisory
Jump to