Lenovo Updated BIOS to Fix Bugs in Hundreds of Devices

Lenovo updated the BIOS
Written by Emma Davis

Lenovo has updated the BIOS and has reported several serious vulnerabilities in the firmware that affect hundreds of devices of various models (desktops, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).

Let me remind you that we also wrote that Bugs in Lenovo laptops allow getting administrator privileges, and also that Three UEFI Firmware Vulnerabilities Affect Millions of Lenovo Users.

Exploitation of found bugs can lead to information disclosure, privilege escalation, denial of service and, under certain circumstances, even arbitrary code execution.

In its security bulletin, Lenovo lists the following issues:

  1. CVE-2021-28216: Fixed pointer in TianoCore EDK II BIOS (UEFI reference implementation) allows an attacker to elevate privileges and execute arbitrary code;
  2. CVE-2022-40134: Information leaked in the Set Bios Password SMI SMI handler allowing an attacker to read the SMM memory.
  3. CVE-2022-40135: Smart USB Protection SMI handler leaked information allowing an attacker to read the SMM memory.
  4. CVE-2022-40136: An information leak in the SMI handler used to configure platform settings via WMI, allowing an attacker to read the SMM memory.
  5. CVE-2022-40137: Buffer overflow in WMI SMI handler allowing an attacker to execute arbitrary code.
  6. No CVE: American Megatrends security improvement.

Lenovo reports that the issues have already been fixed in the latest BIOS updates for many of the affected products. Most of the released patches are available from July and August 2022, with additional patches expected by the end of September and October. Also, a small number of devices will receive updates only next year.

Read also about Bugs in UEFI Affect about 70 Models of Lenovo Laptops and Microsoft explained why Windows 10 crashes on Lenovo laptops.

A complete list of affected devices, BIOS versions, as well as links to already released patches can be found here.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.