A number of Lenovo’s products, from desktop PCs to laptops, have been fixed with major BIOS flaws that could enable threat actors to launch devastating cyberattacks. Security advisories published by the company earlier this week mention dozens of its products, including Desktop, All-in-Ones, IdeaCentres, Legions, ThinkCentres, ThinkPads, ThinkAgile, ThinkStation, and ThinkSystems, which are vulnerable to multiple security flaws.
By exploiting these flaws, threat actors could gain access to sensitive data, escalate privileges, launch denial of service attacks, and execute arbitrary code. By exploiting these flaws, threat actors could gain access to sensitive data, escalate privileges, launch denial of service attacks, and execute arbitrary code.
Lenovo fixed the following vulnerabilities: CVE-2021-28216, CVE-2022-40134, CVE-2022-40135 (information leak vulnerabilities in the Smart USB Protection SMI Handler, that allow access to SMM memory), CVE-2022-40136 (information leak in SMI Handler used to configure platform settings over WMI, allowing SMM memory reading), CVE-2022-40137 (buffer overflow in the WMI SMI Handler, allowing the execution of arbitrary code), American Megatrends security enhancements (no CVEs).
System administrators are urged to apply this BIOS update immediately in order to fix the flaws. A short list of models will receive updates early next year, with more patches expected before the end of the month and in October. Lenovo’s “Drivers & Software” portal is a good place to check for drivers and software for endpoints, and then select “Manual Update” if they need to be fixed. They can then manually install the latest BIOS firmware version after downloading it.