New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models

Shopper electronics maker Lenovo on Tuesday rolled out fixes to include 3 security flaws in its UEFI firmware impacting around 70 product or service styles.

“The vulnerabilities can be exploited to attain arbitrary code execution in the early phases of the system boot, quite possibly allowing the attackers to hijack the OS execution flow and disable some vital security options,” Slovak cybersecurity business ESET said in a sequence of tweets.

Tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to buffer overflow vulnerabilities that have been described by Lenovo as major to privilege escalation on afflicted methods. Martin Smolár from ESET has been credited with reporting the flaws.

The bugs stem from an insufficient validation of an NVRAM variable called “DataSize” in 3 unique motorists ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe, resulting in a buffer overflow that could be weaponized to realize code execution.

This is the next time Lenovo has moved to handle UEFI security vulnerabilities due to the fact the start out of the calendar year. In April, the corporation settled three flaws (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) — also discovered by Smolár — that could have been abused to deploy and execute firmware implants.

End users of impacted equipment are really proposed to update their firmware to the most current edition to mitigate opportunity threats.

Found this posting fascinating? Follow THN on Fb, Twitter  and LinkedIn to read through much more unique content material we write-up.

Some parts of this article are sourced from:
thehackernews.com