CVE-2024-23591

Name of the Vulnerable Software and Affected Versions Lenovo ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023

Description The issue is related to Lenovo ThinkSystem SR670V2 servers being left in Manufacturing Mode, which could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration settings. The server's NIST SP 800-193-compliant Platform Firmware Resiliency (PFR) security subsystem significantly mitigates this issue. The vulnerability is also described as being caused by a desynchronization of BIOS/UEFI and ME states due to the use of an unreleased configuration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.