Lenovo updates BIOS to patch security holes for hundreds of device models

Chinese computer maker Lenovo has just released a security advisory to warn of several high-severity BIOS vulnerabilities.

The BIOS vulnerability is of high severity, affecting hundreds of devices of different models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).

If exploited, these vulnerabilities can lead to information disclosure, privilege escalation, denial of service, and in some cases arbitrary code execution.

Vulnerabilities mentioned in Lenovo's security advisory include:

  1. CVE-2021-28216: Fix pointer error in TianoCore EDK III BIOS (UEFI's reference implementation), allowing hackers to elevate privileges and execute arbitrary code.
  2. CVE-2022-40135: Information leak in Smart USB Guard SMI Handler, allowing hackers to read SMM memory.
  3. CVE-2022-40136: Information leak in SMI Handler used to configure platform settings via WMI, allowing hackers to read SMM memory.
  4. CVE-2022-40137: Buffer Overflow in the WMI SMI Handler, allowing hackers to execute arbitrary code.
  5. American Megatrends security improvements (no CVE code assigned).

SMM (Ring-2) is part of the UEFI firmware that provides system-wide functions such as low-level hardware control and power management.

Access to SMM can be extended to the operating system and RAM, and storage resources, which is why both AMD and Intel developed SMM isolation mechanisms to keep user data safe. against low-level threats.

Lenovo updates BIOS to patch security holes for hundreds of device models Picture 1Lenovo updates BIOS to patch security holes for hundreds of device models Picture 1

Remedies

Lenovo has fixed the issue in the latest BIOS updates for affected products. Most of the patches were released between July and August 2022.

Additional patches are expected to roll out in late September and October while a small number of devices will receive the patch next year. To see the details of the affected computer models and the BIOS firmware version that fixes the corresponding issue, you can access Lenovo's security message board via the link below:

Alternatively, Lenovo computer owners can visit Lenovo's software and driver download page, then search by product name, select manual update, and download the latest BIOS firmware version.

5 ★ | 1 Vote