Intel Management Engine protection not set on some Lenovo Notebook and ThinkServer systems - us

Lenovo Security Advisory: LEN-9903

Potential Impact: Denial of service or privilege escalation by an attacker with administrative access

Severity: Medium

**Scope of Impact:**Industry-Wide

**CVE Identifier:**CVE-2016-8224

Summary Description:

A vulnerability has been identified in some Lenovo Notebook and ThinkServer systems where an attacker with administrative privileges on a system could install a program that circumvents Intel Management Engine (ME) protections. This could result in a denial of service or privilege escalation attack on the system.

The Intel Management Engine (ME) is a set of hardware features developed by Intel that enable administrators to manage, repair and protect computers on their networks. During the manufacturing process, a setting is configured on the manufacturing line that locks regions of memory used by the ME and prevents them from being reconfigured. Lenovo has discovered that this protection was not enabled on certain Lenovo systems.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update your system to the latest BIOS level by following the links below.

Product Impact: