Lenovo issued a security notice informing customers of multiple serious BIOS vulnerabilities affecting hundreds of Lenovo devices across various models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).
Exploiting the vulnerabilities might result in the disclosure of sensitive information, an increase in privileges, a denial of service, and possibly even the execution of arbitrary code in some situations.
The following are the six flaws detailed in Lenovo’s security advisory:
- CVE-2021-28216: Fixed pointer flaw in TianoCore EDK II BIOS (reference implementation of UEFI), allowing an attacker to elevate privileges and execute arbitrary code.
- CVE-2022-40134: Information leak flaw in the SMI Set Bios Password SMI Handler, allowing an attacker to read SMM memory.
- CVE-2022-40135: Information leak vulnerability in the Smart USB Protection SMI Handler, allowing an attacker to read SMM memory.
- CVE-2022-40136: Information leak flaw in SMI Handler used for configuring platform settings over WMI, enabling an attacker to read SMM memory.
- CVE-2022-40137: Buffer overflow in the WMI SMI Handler, enabling an attacker to execute arbitrary code.
- American Megatrends security enhancements (no CVEs).
The problems have been resolved in the most recent BIOS upgrades that Lenovo has released for the affected models.
The majority of patches have been accessible since July and August of 2022.
Additional patches are anticipated to be released by the end of September and October. In addition, a limited number of models will receive updates in the following year.
The security alert contains a comprehensive list of the affected computer models, the BIOS firmware version that mitigates each vulnerability, and download links for each model.
Lenovo device owners can also go to the “Drivers & Software” website, search for their device by name, select the “Manual Update” option and then download the most recent version of the BIOS firmware.
