CVE-2018-9063 - OpenCVE

MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	System Update

Configuration 1 [-]

cpe:2.3:a:lenovo:system_update:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/104125	Third Party Advisory VDB Entry
https://support.lenovo.com/us/en/solutions/LEN-19625	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2018-05-03T00:00:00

Updated: 2018-05-10T09:57:01

Reserved: 2018-03-27T00:00:00

Link: CVE-2018-9063

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-05-04T17:29:00.770

Modified: 2018-06-13T15:18:23.373

Link: CVE-2018-9063

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "Lenovo System Update", "vendor": "Lenovo Group Ltd.", "versions": [{"status": "affected", "version": "Earlier than 5.07.0072"}]}], "datePublic": "2018-05-03T00:00:00", "descriptions": [{"lang": "en", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."}], "problemTypes": [{"descriptions": [{"description": "Buffer overflow", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-10T09:57:01", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"name": "104125", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104125"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "DATE_PUBLIC": "2018-05-03T00:00:00", "ID": "CVE-2018-9063", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Lenovo System Update", "version": {"version_data": [{"version_value": "Earlier than 5.07.0072"}]}}]}, "vendor_name": "Lenovo Group Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Buffer overflow"}]}]}, "references": {"reference_data": [{"name": "104125", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104125"}, {"name": "https://support.lenovo.com/us/en/solutions/LEN-19625", "refsource": "CONFIRM", "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}]}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2018-9063", "datePublished": "2018-05-03T00:00:00", "dateReserved": "2018-03-27T00:00:00", "dateUpdated": "2018-05-10T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:system_update:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F65FD54-263E-49DD-B6E9-362F33B85C8A", "versionEndExcluding": "5.07.0072", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."}, {"lang": "es", "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) en Lenovo System Update, en versiones anteriores a la 5.07.0072, contiene una vulnerabilidad local en la que un atacant que introduzca un ID de usuario o una contrase\u00f1a muy largas puede desbordar el b\u00fafer del programa, provocando comportamientos indefinidos como la ejecuci\u00f3n de c\u00f3digo arbitrario. No se otorgan m\u00e1s privilegios al atacante m\u00e1s all\u00e1 de los que ya se poseen para ejecutar MapDrv."}], "id": "CVE-2018-9063", "lastModified": "2018-06-13T15:18:23.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-04T17:29:00.770", "references": [{"source": "psirt@lenovo.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104125"}, {"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}