Lenovo BIOS firmware has multiple security flaws
Security company ESET recently announced the latest security vulnerability in Lenovo’s laptop BIOS firmware. Lenovo has been notified in advance to fix the vulnerability before the vulnerability was announced.
According to a security bulletin, the firmware used in Lenovo’s consumer laptops has a vulnerability that allows an attacker to disable Secure Boot by changing the NVRAM variable.
After disabling UEFI Secure Boot, attackers can launch attacks through various types of malware. Considering the huge user base of Lenovo devices, the threat is very large.
“lenovo”by keso is licensed under CC BY-NC-ND 2.0
At present, Lenovo has launched a new version of the firmware to fix the vulnerability, which is also the third BIOS or UEFI firmware vulnerability that has appeared in Lenovo so far in 2022.
The vulnerabilities are as follows –
- CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify the Secure Boot setting by modifying an NVRAM variable.
- CVE-2022-3431: A potential vulnerability in a driver used during the manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify the Secure Boot setting by modifying an NVRAM variable.
- CVE-2022-3432: A potential vulnerability in a driver used during the manufacturing process on the IdeaPad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify the Secure Boot setting by modifying an NVRAM variable.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
