CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0CVE-2016-6257
https://notcve.org/view.php?id=CVE-2016-6257
The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon SK-8861, Ultraslim Wireless, and Silver Silk keyboards and Liteon ZTM600 and Ultraslim Wireless mice, does not enforce incrementing AES counters, which allows remote attackers to inject encrypted keyboard input into the system by leveraging proximity to the dongle, aka a "KeyJack injection attack." El firmware en Lenovo Ultraslim dongles, como se usa con teclados Lenovo Liteon SK-8861, Ultraslim Wireless y Silver Silk y ratones Liteon ZTM600 y Ultraslim Wireless, no fuerza incrementar contadores AES, lo que permite a atacantes remotos inyectar entrada de teclado cifrada en el sistema mediante el aprovechamiento de la proximidad al dongle, también conocido como un "ataque de inyección KeyJack". • http://www.securityfocus.com/bid/92179 https://github.com/BastilleResearch/keyjack/blob/master/doc/advisories/bastille-13.lenovo-ultraslim.public.txt https://support.lenovo.com/product_security/len_7267 https://www.bastille.net/research/vulnerabilities/keyjack • CWE-310: Cryptographic Issues •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5248
https://notcve.org/view.php?id=CVE-2016-5248
The StopProxy command in LSC.Services.SystemService in Lenovo Solution Center before 3.3.003 allows local users to terminate arbitrary processes via the PID argument. El comando StopProxy en LSC.Services.SystemService en Lenovo Solution Center en versiones anteriores a 3.3.003 permite a usuarios locales terminar procesos arbitrarios a través del argumento PID. • https://support.lenovo.com/us/en/product_security/len_7814 https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-012/?fid=8073 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5249
https://notcve.org/view.php?id=CVE-2016-5249
Lenovo Solution Center (LSC) before 3.3.003 allows local users to execute arbitrary code with LocalSystem privileges via vectors involving the LSC.Services.SystemService StartProxy command with a named pipe created in advance and crafted .NET assembly. Lenovo Solution Center (LSC) en versiones anteriores a 3.3.003 permite a usuarios locales ejecutar código arbitrario con privilegios de LocalSystem a través de vectores involucrando el comando LSC.Services.SystemService StartProxy con una canalización nombrada creada de antemano y con un ensamblado .NET manipulado. • https://support.lenovo.com/us/en/product_security/len_7814 https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-012/?fid=8073 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5729
https://notcve.org/view.php?id=CVE-2016-5729
Lenovo BIOS EFI Driver allows local administrators to execute arbitrary code with System Management Mode (SMM) privileges via unspecified vectors. Lenovo BIOS EFI Driver permite a administradores locales ejecutar código arbitrario con privilegios de System Management Mode (SMM) a través de vectores no especificados. • http://www.securityfocus.com/bid/91536 https://support.lenovo.com/us/en/product_security/len_4901 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3944
https://notcve.org/view.php?id=CVE-2016-3944
UpdateAgent in Lenovo Accelerator Application allows man-in-the-middle attackers to execute arbitrary code by spoofing an update response from susapi.lenovomm.com. UpdateAgent en Lenovo Accelerator Application permite a atacantes man-in-the-middle ejecutar código arbitrario suplantando una respuesta de actualización de susapi.lenovomm.com. • https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters https://support.lenovo.com/us/en/product_security/len_6718 • CWE-20: Improper Input Validation •