Friday, September 16, 2022

Lenovo issues Emergency Security Patch for hundreds of its models

 Lenovo is a computer manufacturer. Lenovo has sold a very large number of desktops, laptops, tablets, and other devices.

 The EMERGENCY patch addresses 6 high severity flaws. So Important.

 The flaws can be abused to steal sensitive data, escalate privilege, be used in botnets for denial of service attacks, and/or allow arbitrary code execution.

 The Common Vulnerability and Exposures fixed/addressed by this emergency security patch:

CVE-2021-28216 pointer flaw in TianoCore EDK II BIOS Elevation of privilege & arbitrary code execution

CVE-2022-40134 Information leak flaw in SMI Set BIOS password SMI handler  allows SMM memory reading

CVE-2022-40135 information leak vulnerability in Smart USB SMI Handler  allows SMM memory reading

CVE-2022-40136 information leak flaw in SMI handler used for configuring platform settings over WMI  allows SMM memory reading

CVE-2022-40137 buffer overflow in WMI SMI handler  allows for arbitrary code execution

American Megatrends security enhancements   No CVE

The fixes for the above flaws are part of the latest BIOS update. Keeping your BIOS updated is one of the many updates users of todays complex cyber environments. Updates to Windows, macOS, apps, browsers, routers, wireless access points, smart phones, streaming devices, smartTVs, etc.

Lenovo states: Advise to update the BIOS update immediately. More patches/updates to be released by the end of September and some in October.

If your Lenovo devices utilizes UEFI instead, Lenovo has patched these CVEs.

CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892. Usually UEFI flaws are more difficult to exploit, but exploitable.

To patch your affected device's BIOS navigate to Drivers & Software portal at Lenovo's web site.

Choose Manual Update. 



No comments:

Post a Comment