Multiple Vendor Vulnerabilities Reported on Lenovo Products

Risk:
high
Damage:
high
Platform(s):
Lenovo
Advisory ID:
ngCERT-2022-0094
Version:
N/A
CVE:
CVE-2021-28216, CVE-2022-40134, CVE-2022-40135, CVE-2022-40136, CVE-2022-40137
Published:
September 22, 2022

Summary


According to Lenovo, multiple vulnerabilities have been discovered in Lenovo products. These high-severity vulnerabilities could allow an authenticated local attacker to circumvent security restrictions, gain elevated privileges, execute arbitrary code on the targeted system, gain sensitive information, and exploit this vulnerability by also sending a specially crafted request to the targeted user.

Description & Consequence


Lenovo disclosed a number of vendor vulnerabilities in some of her products, which could lead to information disclosure, privilege escalation, and denial of service. This vulnerability primarily affects Lenovo Products (Desktop, Desktop - All in One, Hyperscale, Lenovo Notebook, Smart Office, Storage, ThinkAgile, ThinkPad, ThinkServer, ThinkStation, and ThinkSystem).

The vulnerabilities are caused by flaws in the System Management Interrupt (SMI) Set BIOS Password SMI Handler, e-Smart USB Protection SMI Handler, System Management Interrupt (SMI) Handler used to configure platform settings over Windows Management Instrumentation (WMI), and a buffer overflow flaw in WMI SMI Handler, according to the report. A fixed pointer vulnerability has also impacted the TianoCore EDK II BIOS.

A successfully exploitation of these vulnerabilities could allow an authenticated local attacker to bypass security restrictions, gain elevated privileges and execute arbitrary code on the targeted system. This local attacker could also send a specially crafted request to the targeted user to gain sensitive information. Consequently, the vulnerability could result to unauthorized Information disclosure, privilege escalation and denial of service on the targeted system.

Solution


Users are advised to update their system firmware to the newer version(s indicated for their Product model as described in the steps below:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Reference


Revision


Related Articles