Chinese computer manufacturer Lenovo has released a security advisory to warn of several high-severity BIOS vulnerabilities affecting hundreds of devices across models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation , ThinkSystem).
Exploitation of the flaws can lead to information disclosure, elevation of privileges, denial of service, and in certain circumstances, execution of arbitrary code.
Vulnerabilities in Lenovo Security Advisory are the following:
- CVE-2021-28216: Fixed a pointer flaw in the TianoCore EDK II BIOS (UEFI reference implementation), allowing an attacker to elevate privileges and execute arbitrary code.
- CVE-2022-40134: Information leak flaw in the SMI Set Bios Password SMI Handler, allowing an attacker to read the SMM memory.
- CVE-2022-40135: Information leak vulnerability in the SMI Smart USB Protection manager, allowing an attacker to read the SMM memory.
- CVE-2022-40136: Information leak flaw in the SMI manager used to configure platform settings via WMI, allowing an attacker to read the SMM memory.
- CVE-2022-40137: buffer overflow in the WMI SMI Handler, allowing an attacker to execute arbitrary code.
- American Megatrends security enhancements (no CVE).
SMM (Ring -2) is part of UEFI firmware that provides system-wide functions such as low-level hardware control and power management.
Access to SMM could be extended to operating system and RAM, and storage resources; this is why AMD and Intel have developed SMM Isolation Mechanisms to protect user data from low-level threats.
Lenovo has resolved the issues in the latest BIOS updates for the affected products. Most fixes have been released since they were released in July and August 2022.
Additional fixes are expected by the end of September and October, while a short list of models will receive updates next year.
A complete list of affected computer models and the BIOS firmware version that fixes each vulnerability is included in the safety bulletinwith links to the download portal for each model.
Alternatively, owners of Lenovo computers can access the “Drivers and Softwaresearch for their product by name, select “Manual Update” and download the latest BIOS firmware available.