[German]Chinese computer manufacturer Lenovo has released updates for the BIOS/UEFI of hundreds of its computer models. These are intended to address serious vulnerabilities (CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, CVE-2022-40137), which Lenovo describes in a security advisory.
Advertising
Lenovo Security Advisory LEN-94953 Multi-Vendor BIOS Security Vulnerabilities (September 2022) addresses the vendor-reported vulnerabilities CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, and CVE-2022-40137 was released on September 13, 2022 and describes the following details:
- AMI released security enhancements for AMI BIOS. No CVE available.
- CVE-2021-28216: Tianocore reported a fixed pointer vulnerability in the TianoCore EDK II BIOS that could allow an attacker with local access and elevated privileges to execute arbitrary code. TianoCore EDK II is the basic open-source UEFI (BIOS) code used in the industry in all modern computers.
- CVE-2022-40137: A buffer overflow in the WMI SMI handler in some Lenovo models could allow an attacker with local access and elevated privileges to execute arbitrary code.
- CVE-2022-40134: An information leak in the SMI Set BIOS Password SMI Handler in some Lenovo models could allow an attacker with local access and elevated privileges to read SMM memory.
- CVE-2022-40135: A vulnerability in the SMI Handler for Smart USB Protection in some Lenovo models could allow an attacker with local access and elevated privileges to read SMM memory.
- CVE-2022-40136: A vulnerability in the SMI handler used to configure platform settings via WMI in some Lenovo models could allow an attacker with local access and elevated privileges to read SMM memory.
Lenovo recommends updating the devices to the latest BIOS version, but also writes that not all specified products (for which updates are available),are affected by above CVEs. The background is that Lenovo always combines several BIOS security fixes and enhancements in as few updates as possible, if possible. The downloads of the updated BIOS versions is possible via the Lenovo site. Lenovo also offers tools to support the updates. Below are the links to the pages with the affected products:
- Desktop
- Desktop – All in One
- Hyperscale
- Lenovo Notebook
- Smart Office
- Storage
- ThinkAgile
- ThinkPad
- ThinkServer
- ThinkStation
- ThinkSystem
(via)
