Recently, Lenovo’s new BIOS updates fixes the high-severity vulnerabilities impacting hundreds of devices in several models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).
The potential impact may include Information disclosure, privilege escalation and denial of service.
The List of Vulnerabilities Includes:
- CVE-2021-28216 – Fixed pointer vulnerability in TianoCore EDK II BIOS that allow an attacker with local access and elevated privileges to execute arbitrary code. TianoCore EDK II is the foundational open source UEFI (BIOS) code used throughout industry in all modern computers.
- CVE-2022-40134 – Information leak vulnerability found in the SMI Set BIOS Password SMI Handler, allow an attacker with local access and elevated privileges to read SMM memory.
- CVE-2022-40135 – Information leak vulnerability in the Smart USB Protection SMI Handler, allow an attacker with local access and elevated privileges to read SMM memory.
- CVE-2022-40136 – Information leak vulnerability in SMI Handler used to configure platform settings over WMI in some Lenovo models, allow an attacker with local access and elevated privileges to read SMM memory.
- CVE-2022-40137 – Buffer overflow in the WMI SMI Handler, allow an attacker with local access and elevated privileges to execute arbitrary code.
American Megatrends security enhancements (AMI), no CVE available.
To Download the Latest Version:
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update.
Recommendation
According to the Lenovo’s security advisory, “Update system firmware to the version (or newer) indicated for your model”.
The company has fixed the issues in the new BIOS updates for impacted products. Remaining fixes are expected by the end of September and October and few models may receive patches in the upcoming year.
