Multiple BIOS Vulnerabilities in Lenovo Products

Published on 15 Sep 2022

Updated on 15 Sep 2022

Lenovo has released security updates to address multiple vulnerabilities in their products.

The vulnerabilities are as follow:

  • CVE-2021-28216 - A fixed pointer vulnerability in TianoCore EDK II BIOS could allow an attacker to escalate privileges and execute arbitrary code. TianoCore EDK II is the foundational open source UEFI (BIOS) code used throughout the industry in all modern computers.
  • CVE-2022-40134 - An information leak vulnerability in the System Management Interrupt (SMI) Set BIOS Password SMI Handler could allow an attacker to escalate privileges to read System Management Mode (SMM) memory.
  • CVE-2022-40135 - An information leak vulnerability in the Smart USB Protection SMI Handler could allow an attacker to escalate privileges to read SMM memory.
  • CVE-2022-40136 - An information leak vulnerability in SMI Handler, which is used to configure platform settings over Windows Management Instrumentation (WMI), could allow an attacker to escalate privileges to read SMM memory.
  • CVE-2022-40137 - A buffer overflow in the WMI SMI Handler in some Lenovo models could allow an attacker to escalate privileges to execute arbitrary code.

Users of Lenovo products such as Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem are advised to update their system firmware to the latest version indicated for the model, located in the 'Product Impact' section. The steps are:

  • Think Products with Windows 7, 8, 8.1, and 10:Click the Start button > All Programs > Lenovo > Lenovo System Update, or Click the Start button > Control Panel > Lenovo - Update and Drivers.
  • Idea Products: Click the Start button > All Programs > Lenovo Care, and run Update Your System

More information is available here:

https://support.lenovo.com/sg/en/product_security/LEN-94953

https://support.lenovo.com/sg/sg/solutions/ht003029

https://www.bleepingcomputer.com/news/security/new-lenovo-bios-updates-fix-security-bugs-in-hundreds-of-models/