Lenovo issues firmware updates after UEFI vulnerabilities disclosed
Déjà vu all over again for laptop maker as researchers poke holes in its code
Security researchers have spotted fresh flaws in Lenovo laptops just months after the vendor patched a bunch of its products.
The PC maker has now fixed the trio of bugs, which were flagged up by ESET this week. More than 70 models were impacted by this latest issue, including a number of ThinkBook devices. The vulnerabilities reported were buffer overflows in the UEFI firmware.
"The vulnerabilities," explained the ESET Research team, "can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features."
"It's a typical UEFI 'double GetVariable' vulnerability," the team added, before giving a hat tip to efiXplorer.
Lenovo has published an advisory on the matter this week: the CVE identifiers are CVE-2022-1890, CVE-2022-1891, CVE-2022-1892. All are related to buffer overflows and carry the risk that an attacker with local privileges will be able to execute arbitrary code. Their severity was rated as medium.
As for mitigation, updating the firmware is pretty much all customers can do, although not all products are affected by all three vulnerabilities. All of the products, however, do seem to be hit by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver.
- Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier than it should be
- Will Lenovo ever think beyond hardware?
- Lenovo reveals small but mighty desktop workstation
- Lenovo, Barcelona Supercomputing Center sign joint research deal
The disclosure follows another three vulnerabilities patched in April, also concerned with UEFI on Lenovo kit. UEFI, or Unified Extensible Firmware Interface, is the glue connecting a device's firmware with the operating system on top. A vulnerability there could potentially be exploited before a device gets a chance to boot its operating system and fire up malware protections, allowing the computer to become deeply infected and compromised.
ESET research noted that the flaws were a result of "insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable."
These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6 pic.twitter.com/HC5ow6KTN0— ESET research (@ESETresearch) July 13, 2022
ThinkPad hardware is not affected, probably to the relief of harassed enterprise administrators around the world. Other Lenovo device users should check the list and perform a firmware update if needed.
The Register asked ESET for more detail on how these vulnerabilities could be exploited, and will let you know if we learn more. We asked Lenovo why this seems to keep happening.
Ignoring that question, the PC maker told us: "The vulnerability reported by Lenovo and ESET has been mitigated and updates can be found here. Customers who apply the update are not at risk.
"Lenovo works closely with all security researchers to provide responsible disclosure of vulnerabilities that protects customers by ensuring mitigations are in place before reporting. Lenovo thanks ESET for its professionalism and cooperation in reporting its findings." ®