Lenovo has corrected a number of critical BIOS problems that might have allowed cyberattacks on desktop PCs and laptops.
In a security alert published this week, the company stated hundreds of its Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, and ThinkSystem devices were exposed to six distinct vulnerabilities.
By exploiting these flaws, malicious actors might get access to private information, gain a higher level of power, then conduct a denial-of-service attack, or even execute arbitrary code.
Leaking data, exposing arbitrary code
Lenovo fixed CVE-2021-28216 (pointer flaw in TianoCore EDK II BIOS, allows elevation of privilege and arbitrary code execution), CVE-2022-40134 (information leak flaw in the SMI Set Bios Password SMI Handler, allows SMM memory reading), CVE-2022-40135 (information leak flaw in the Smart USB Protection SMI Handler, allows SMM memory reading), and CVE-2022-40136 (information leak flaw in SMI Handler used (no CVEs).
The newest BIOS updates for the aforementioned products have fixes for these vulnerabilities, and the company recommends that all system administrators install them as soon as possible.
However, more fixes are due this month and in October, with certain models getting updates early next year.
Therefore, users who want to fix their endpoints should visit Lenovo’s “Drivers & Software” page, search for their devices by name, and click “Manual Update.” That downloads the latest BIOS firmware, which they may install manually. changes (no CVEs).