One such Chinese computer company that has become very famous in the whole world, I am talking about Lenovo, whose manufacturer has not only updated BIOS in view of some problems related to the system but also reported some such vulnerabilities to the firmware. Given what was seen in some models of Lenovo, the different models are as follows (desktops, IdeaCentre, All in One, Legion, ThinkStation, ThinkPad, ThinkCentre, ThinkAgile, and ThinkSystem). Whatever concrete step the company took was really important because it was very important to fix all these weaknesses as soon as possible.
Whatever vulnerabilities have come out, it is very important to fix them as soon as possible because if they are not fixed at the earliest, then taking advantage of these vulnerabilities can lead to information disclosure, denial of service, privilege escalation, and some other circumstances, they can be used for arbitrary code execution.
The vulnerabilities that Lenovo’s security department found are as follows
- CVE-2021-28216: Fixed pointer flaw, allowing anyone who wants to attack the TianoCore EDK II BIOS (the reference implementation of UEFI) to elevate their privileges as well as execute any code arbitrarily given.
- CVE-2022-40134: This is a flaw that allows an attacker to read SMM memory at will, also known as an information leak flaw in the SMI set bios to password SMI handlers.
- CVE-2022-40135: The name of this vulnerability is an information leak vulnerability in the Smart USB Protection SMI handler because it allows any attacker to read the SMI memory.
- CVE-2022-40136: A flaw that allows information leaks in SMI handlers used to manually configure any platform settings via WMI, allowing any attacker to easily read the SMM memory.
- CVE-2022-40137: Buffer overflow in WMI SMI handler that enables any attackers to execute any code they want.
- No CVE: Enhancements and improvements of the security of American Megatrends.
At the same time, the Lenovo company said in a report that the problems have been already fixed by the security team in all the latest updated BIOS for many affected devices, so that no one has to face any trouble. Although the company has also made it clear that all the patches released by the company are available only from July and August 2022 of this year, and the remaining few patches will come by the end of September and October of this year.