3 Critical Vulnerabilities In Lenovo Laptops’ UEFI  (70 Models Including Thinkbook) Allow Them To Be Hacked Forever, Even After Removing The Hard Drive

Lenovo released security fixes to address three vulnerabilities that reside in the UEFI firmware shipped with over 70 product models, including several ThinkBook models. ESET Research discovered and reported to the manufacturer these three vulnerabilities. Two months of ago UEFI vulnerabilities affected Dell laptops.

CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. 

CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code. 

CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.

Potential Impact: Privilege escalation 

Severity: Medium

Mitigation

Owners of affected devices are highly recommended to update to the latest firmware version. To download the version specified for your product below, follow these steps: Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

List of Models affected