Lenovo, the consumer electronics maker, rolled out fixes Tuesday to include three security flaws in its UEFI firmware affecting more than 70 product models.
“The vulnerabilities can be exploited to allow arbitrary code execution in the early stages of platform startup, which could allow attackers to hijack the operating system’s execution flow and disable some key security features,” the company said. Slovak cybersecurity ESET. he said in a series of tweets.
Logged as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to buffer overflow vulnerabilities described by Lenovo as leading to escalation of privilege on affected systems. ESET’s Martin Smolár has been credited for reporting the flaws.
The errors stem from insufficient validation of an NVRAM variable named “DataSize” in three different drivers, ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe, resulting in a buffer overflow that can be weaponized to achieve code execution.
This is the second time since the beginning of the year that Lenovo has addressed UEFI security vulnerabilities. In April, the company fixed three vulnerabilities (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972), also discovered by Smolár, that could have been exploited to deploy and run firmware implants.
Users of affected devices are strongly advised to update their firmware to the latest version to mitigate potential threats.
