Lenovo BIOS/UEFI updates fix vulnerabilities, hundreds of models affected (9.2022)

[German]Chinese computer manufacturer Lenovo has released updates for the BIOS/UEFI of hundreds of its computer models. These are intended to address serious vulnerabilities (CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, CVE-2022-40137), which Lenovo describes in a security advisory. 


Advertising

Lenovo Security Advisory LEN-94953 Multi-Vendor BIOS Security Vulnerabilities (September 2022) addresses the vendor-reported vulnerabilities CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, and CVE-2022-40137 was released on September 13, 2022 and describes the following details:

  • AMI released security enhancements for AMI BIOS. No CVE available.
  • CVE-2021-28216: Tianocore reported a fixed pointer vulnerability in the TianoCore EDK II BIOS that could allow an attacker with local access and elevated privileges to execute arbitrary code. TianoCore EDK II is the basic open-source UEFI (BIOS) code used in the industry in all modern computers.
  • CVE-2022-40137: A buffer overflow in the WMI SMI handler in some Lenovo models could allow an attacker with local access and elevated privileges to execute arbitrary code.
  • CVE-2022-40134: An information leak in the SMI Set BIOS Password SMI Handler in some Lenovo models could allow an attacker with local access and elevated privileges to read SMM memory.
  • CVE-2022-40135: A vulnerability in the SMI Handler for Smart USB Protection in some Lenovo models could allow an attacker with local access and elevated privileges to read SMM memory.
  • CVE-2022-40136: A vulnerability in the SMI handler used to configure platform settings via WMI in some Lenovo models could allow an attacker with local access and elevated privileges to read SMM memory.

Lenovo recommends updating the devices to the latest BIOS version, but also writes that not all specified products (for which updates are available),are affected by above CVEs. The background is that Lenovo always combines several BIOS security fixes and enhancements in as few updates as possible, if possible. The downloads of the updated BIOS versions is possible via the Lenovo site. Lenovo also offers tools to support the updates. Below are the links to the pages with the affected products:

(via)


Advertising

This entry was posted in devices, Security, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).