Lenovo has corrected a number of serious BIOS shortcomings, which enable threat actors to potentially launch large-scale cyberattacks across a wide range of its products, from desktop computers (opens in a new tab) to laptops.
According to a security report published earlier this week, hundreds of its devices, including Desktop, all in one, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, and the ThinkSystem series, were vulnerable to a total of six different vulnerabilities.
Threat actors may abuse these flaws to steal sensitive data, escalate privileges, launch denial of service attacks, and, in extreme instances, allow for arbitrari code execution.
Leaking data is putting a risk of excessive code execution.
Lenovo''s security improvements include CVE-2021-28216 (pointer flaw in TianoCore''s EDK II BIOS - allows for elevation of privilege and arbitrary code execution), CVE-2022-40134 (information leak flaw in the Smart USB Protection SMI Handler - allows for SMM memory reading), CVE-2022-40136 (information leak flaw in the WMI SMI Handler, allows for SMM memory reading), CVE-2022-40137 (buffer overflow in the
The fix for these shortcomings comes as part of the most recent BIOS update for the above mentioned devices, with the company instructing all system admins to apply them immediately.
Additional patches (opens in a new tab) are expected to be released before the end of this month, as well as in October, with a brief list of models getting their updates early next year.
The users who want to fix their endpoints (opens in a new tab) should go to Lenovo''s Drivers & Software portal, search for their devices by name, and choose Manual Update. The software will then download the latest BIOS firmware version, which they can then manually install.
On this link, you can see the full list of affected devices (opens in the new tab).