Lenovo has updated the BIOS and has reported several serious vulnerabilities in the firmware that affect hundreds of devices of various models (desktops, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).
Let me remind you that we also wrote that Bugs in Lenovo laptops allow getting administrator privileges, and also that Three UEFI Firmware Vulnerabilities Affect Millions of Lenovo Users.Exploitation of found bugs can lead to information disclosure, privilege escalation, denial of service and, under certain circumstances, even arbitrary code execution.
In its security bulletin, Lenovo lists the following issues:
- CVE-2021-28216: Fixed pointer in TianoCore EDK II BIOS (UEFI reference implementation) allows an attacker to elevate privileges and execute arbitrary code;
- CVE-2022-40134: Information leaked in the Set Bios Password SMI SMI handler allowing an attacker to read the SMM memory.
- CVE-2022-40135: Smart USB Protection SMI handler leaked information allowing an attacker to read the SMM memory.
- CVE-2022-40136: An information leak in the SMI handler used to configure platform settings via WMI, allowing an attacker to read the SMM memory.
- CVE-2022-40137: Buffer overflow in WMI SMI handler allowing an attacker to execute arbitrary code.
- No CVE: American Megatrends security improvement.
Lenovo reports that the issues have already been fixed in the latest BIOS updates for many of the affected products. Most of the released patches are available from July and August 2022, with additional patches expected by the end of September and October. Also, a small number of devices will receive updates only next year.
Read also about Bugs in UEFI Affect about 70 Models of Lenovo Laptops and Microsoft explained why Windows 10 crashes on Lenovo laptops.
A complete list of affected devices, BIOS versions, as well as links to already released patches can be found here.