Lenovo has released an update to fix several serious BIOS vulnerabilities affecting hundreds of devices across Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation and ThinkSystem models.
Related: best laptop for engineering student - 2022 review
Exploiting these vulnerabilities can lead to information disclosure, privilege escalation, denial of service and, under certain circumstances, the execution of arbitrary code.
Lenovo's patch bulletin lists the following vulnerabilities:
- CVE-2021-28216: A pointer vulnerability in the TianoCore EDK II BIOS (UEFI reference implementation) that allows an attacker to escalate privileges and execute arbitrary code has been fixed;
- CVE-2022-40134: An information leak vulnerability in the Set Bios Password SMI handler has been fixed, allowing an attacker to read SMM memory;
- CVE-2022-40135: A security vulnerability in the SMI Smart USB Protection handler has been fixed, allowing an attacker to read SMM memory;
- CVE-2022-40136: An information leak vulnerability has been fixed in the SMI handler used to configure platform settings via WMI, allowing an attacker to read SMM memory;
- CVE-2022-40137: a buffer overflow vulnerability in the WMI SMI handler was fixed, allowing an attacker to execute arbitrary code.
SMM is part of the UEFI firmware that provides system-wide functions such as low-level hardware management and power management. UEFI (Unified Extensible Firmware Interface ) is a firmware interface used when starting a computer to initialize hardware components and run the operating system, which is stored on the hard disk.
SMM access can be extended to the operating system, RAM and storage resources. This is why both AMD and Intel have developed SMM isolation mechanisms to protect user data from low-level threats.
Lenovo has fixed issues in the latest BIOS updates for the affected products. Most of the patches currently released are available as of July and August 2022.
Featured book: CEH v11 Certified Ethical Hacker Study Guide PDF version
Additional fixes are expected by the end of September and October, and a small list of models will receive updates next year.
A full list of affected computer models and BIOS firmware versions addressing each vulnerability is included in the security bulletin with links to the download portal for each model.
In addition, owners of Lenovo computers can go to the Drivers and Software portal, search for their product by name, select "Manual Update" and download the latest available BIOS firmware version.
In July, it became known that more than 70 Lenovo laptop models were affected by a serious UEFI firmware vulnerability associated with a buffer overflow error. The problem was discovered by security experts at ESET. They gave the vulnerability a medium severity level.