Lenovo is a computer manufacturer. Lenovo has sold a very large number of desktops, laptops, tablets, and other devices.
The EMERGENCY patch addresses 6 high severity flaws. So Important.
The flaws can be abused to steal sensitive data, escalate privilege, be used in botnets for denial of service attacks, and/or allow arbitrary code execution.
The Common Vulnerability and Exposures fixed/addressed by this emergency security patch:
CVE-2021-28216 pointer flaw in TianoCore EDK II BIOS Elevation of privilege & arbitrary code execution
CVE-2022-40134 Information leak flaw in SMI Set BIOS password SMI handler allows SMM memory reading
CVE-2022-40135 information leak vulnerability in Smart USB SMI Handler allows SMM memory reading
CVE-2022-40136 information leak flaw in SMI handler used for configuring platform settings over WMI allows SMM memory reading
CVE-2022-40137 buffer overflow in WMI SMI handler allows for arbitrary code execution
American Megatrends security enhancements No CVE
The fixes for the above flaws are part of the latest BIOS update. Keeping your BIOS updated is one of the many updates users of todays complex cyber environments. Updates to Windows, macOS, apps, browsers, routers, wireless access points, smart phones, streaming devices, smartTVs, etc.
Lenovo states: Advise to update the BIOS update immediately. More patches/updates to be released by the end of September and some in October.
If your Lenovo devices utilizes UEFI instead, Lenovo has patched these CVEs.
CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892. Usually UEFI flaws are more difficult to exploit, but exploitable.
To patch your affected device's BIOS navigate to Drivers & Software portal at Lenovo's web site.
Choose Manual Update.
No comments:
Post a Comment