Lenovo released a security alert warning of many high-severity BIOS vulnerabilities affecting hundreds of desktops, 2-in-1’s and laptops.
When exploited, the issue may result in data breaches, privilege escalation, DDoS and arbitrary code execution. The following vulnerabilities were detailed in Lenovo’s security advisory:
- CVE-2021-28216: a pointer hole in the TianoCore EDK II BIOS (reference implementation of UEFI), which allowed an attacker to gain elevated privileges and execute arbitrary code.
- CVE-2022-40134: an attacker can access SMM memory due to an information leak vulnerability in the SMI Set Bios Password SMI Handler.
- CVE-2022-40135: the Smart USB Protection SMI Handler has an information leak vulnerability that allows an attacker to access SMM memory.
- CVE-2022-40136: an information leak vulnerability in the SMI Handler, which is used to configure platform settings through WMI, allows an attacker to access SMM memory.
- CVE-2022-40137: Buffer overflow in the WMI SMI Handler allows an attacker to execute arbitrary code.
- Security upgrades for American Megatrends (no CVEs).
SMM (ring -2) is a component of the UEFI firmware that performs system-wide tasks like low-level hardware control and power management. Because SMM access can be extended to the operating system, RAM, and storage resources, AMD and Intel have implemented SMM isolation measures to protect user data from low-level attacks.
Lenovo has addressed the vulnerabilities in the most recent BIOS updates, with a majority of the fixes published during July and August 2022. Additional patches are due in September and October, with a select few models receiving upgrades next year.
The security alert includes a comprehensive list of the compromised computer models, the BIOS firmware version that fixes each issue, and download links to patches. Additionally, Lenovo customers can visit the ‘Drivers & Software‘ page, search for their device by name, choose ‘Manual Update’ and download the most recent BIOS firmware version available.