Lenovo issued a security notice informing customers of multiple serious BIOS vulnerabilities affecting hundreds of Lenovo devices across various models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).

Exploiting the vulnerabilities might result in the disclosure of sensitive information, an increase in privileges, a denial of service, and possibly even the execution of arbitrary code in some situations.

The following are the six flaws detailed in Lenovo's security advisory:

  • CVE-2021-28216: Fixed pointer flaw in TianoCore EDK II BIOS (reference implementation of UEFI), allowing an attacker to elevate privileges and execute arbitrary code.
  • CVE-2022-40134: Information leak flaw in the SMI Set Bios Password SMI Handler, allowing an attacker to read SMM memory.
  • CVE-2022-40135: Information leak vulnerability in the Smart USB Protection SMI Handler, allowing an attacker to read SMM memory.
  • CVE-2022-40136: Information leak flaw in SMI Handler used for configuring platform settings over WMI, enabling an attacker to read SMM memory.
  • CVE-2022-40137: Buffer overflow in the WMI SMI Handler, enabling an attacker to execute arbitrary code.
  • American Megatrends security enhancements (no CVEs).

The problems have been resolved in the most recent BIOS upgrades that Lenovo has released for the affected models.

The majority of patches have been accessible since July and August of 2022.

Additional patches are anticipated to be released by the end of September and October. In addition, a limited number of models will receive updates in the following year.

The security alert contains a comprehensive list of the affected computer models, the BIOS firmware version that mitigates each vulnerability, and download links for each model.

Lenovo device owners can also go to the "Drivers & Software" website, search for their device by name, select the "Manual Update" option and then download the most recent version of the BIOS firmware.


If this tip helps and you would like to donate click on the button. Thanks In Advance


"Fortune Favors, Who Value Time over Money!"

"TeQ I.Q. was the 1st IT Company to Deliver Cloud Solutions since 2003"
Tech issues taking up your Time?
"TeQ I.Q. Makes Your Technology Simple and Easy"
Do you have Tech Frustrations like your Computer, Internet, Phone, Cellphone, Camera, TV, Car?

     "We Take Away Your Tech Frustrations and Give You the Free Time You Deserve!"
Call Robert to ask all your Technology questions.

We are giving a Free in Person TeQ Seminar at our office in La Mesa every Wednesday from 12pm-1pm and a Free TeQ Support Q&A from 1pm-2pm. Go to https://www.teqiq.com/events for our upcoming Events and https://www.teqiq.com/seminars for info on each Seminar.

For Free Consultation Call Now Robert Black at (619) 255-4180 or visit our website https://www.teqiq.com/

Chase Bank and Others Trust TeQ I.Q. with their IT and TeQnology so can you!

Used with permission from Article Aggregator