Lenovo: UEFI firmware updates available
70 models of Lenovo laptops are affected by a UEFI firmware vulnerability.
ESET security researchers have discovered a vulnerability affecting 70 laptop models including Lenovo's ThinkBooks, IdeaPad and Yoga series.
Among the affected devices, there are frequently found models such as the IdeaPad 3, Legion S7, ThinkBook15-IIL or Lenovo Yogas from various series. In many cases, only one of the drivers mentioned is vulnerable and requires an update. All three drivers need to be replaced on some 14 and 15 inch ThinkBooks.
Attackers can use a buffer overflow in the data transmission of the UEFI BIOS to inject and execute malicious code at device level even before the installed operating system boots and security mechanisms take effect. Lenovo responded promptly and is providing updates for affected models.
Exploiting the vulnerability is very dangerous, but at least it was classified as not serious or even likely. Lenovo's support website has a list of affected devices and instructions on how to get the appropriate downloads.
Three vulnerabilities have been fixed with the updates. They affect the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe drivers in some Lenovo notebooks. They are summarized under the identification numbers CVE-2022-1890, CVE-2022-1891 and CVE-2022-1892.
As a Lenovo user go to the product page of your device on the Lenovo website and find the item Drivers & Software. Compare available firmware update version numbers with those in the table on the linked website. Then follow the options to download an update relevant to you.