[German]Note for blog readers who use Lenovo (and IBM) notebooks. Security researchers from ESET have found serious vulnerabilities in the UEFI firmware of Lenovo notebooks that allow the operating system to be hijacked in the early boot phase. Lenovo has issued a security advisory listing over 70 notebook models (including ThinkBook) as affected.
ESET finds vulnerability
Security researchers from security vendor ESET pointed out in a series of tweets, that there is a problem with Lenovo devices. The security researchers have come across no less than three buffer overflow vulnerabilities in the UEFI firmware of several Lenovo notebook devices. More than 70 different models are affected, including several ThinkBook models.
Lenovo offers firmware upgrade
After ESET reported the vulnerabilities to Lenovo, the manufacturer began developing a patch and has revealed details. The vulnerabilities are as follows, according to this Lenovo advisory:
- CVE-2022-1890: A buffer overflow has been discovered in the ReadyBootDxe driver in some Lenovo notebook products, which could allow an attacker with local privileges to execute arbitrary code.
- CVE-2022-1891: A buffer overflow in the SystemLoadDefaultDxe driver was discovered in some Lenovo notebook products, which could allow an attacker with local privileges to execute arbitrary code.
- CVE-2022-1892: A buffer overflow in the SystemBootManagerDxe driver was discovered in some Lenovo notebook products, which could allow an attacker with local privileges to execute arbitrary code.
Fortunately, an attacker needs local privileges to execute arbitrary code at boot time. Lenovo is asking customers to update the system firmware on affected models. Firmware updates for the UEFI are available for the affected devices on the manufacturer's support pages:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
here, search for the existing Lenovo notebook model and download and install a suitable firmware update for updating. A list of devices (Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145) including information about which vulnerabilities they are affected by can be found in this Lenovo security advisory. (via)
Cookies helps to fund this blog: Cookie settings