Lenovo has released a BIOS update for many models of desktop PCs, laptops, and servers, with the aim of fixing several critical vulnerabilities. Let’s do a check in.
In a security bulletin, Lenovo mentions 5 important vulnerabilities that affect the BIOS of some of its models. If we look at the list of affected PC ranges, we can see that there are several hundred models, including desktops, laptops, servers, but also All In One: IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem, IdeaPad, Yoga, ThinkBook, etc.
Here is the list of vulnerabilities covered by this new security bulletin:
- CVE-2021-28216 : Fixed pointer defect in TianoCore EDK II BIOS allowing an attacker to elevate his privileges and execute arbitrary code.
- CVE-2022-40134 : Information leak in the SMI Set Bios Password SMI Handler, allowing an attacker to read the SMM memory.
- CVE-2022-40135 : Information leak in the SMI Handler Smart USB Protection, allowing an attacker to read the memory of the SMM.
- CVE-2022-40136 : Information leak in the SMI Handler used to configure platform settings via WMI, allowing an attacker to read SMM memory.
- CVE-2022-40137 : Buffer overflow in WMI’s SMI Handler, allowing an attacker to execute arbitrary code.
Exploitation of these flaws can lead to information disclosure, elevation of privileges, denial of service and, in some cases, execution of arbitrary code on the vulnerable machine.
How to protect against these vulnerabilities?
The good news is that Lenovo has fixed the vulnerabilities in the latest BIOS updates for the majority of affected products. Some updates are available from July and August 2022, while others will arrive in September and October.
To check if an update is available for a specific model, refer to Lenovo’s security bulletin where there is a complete list, with the appropriate links.