Vulnerabilities allowing permanent infections affect 70 Lenovo laptop models

Enlarge (credit: Lenovo)

For owners of more than 70 Lenovo laptop models, it’s time once again to patch the UEFI firmware against critical vulnerabilities that attackers can exploit to install malware that’s nearly impossible to detect or remove.

The laptop maker on Tuesday released updates for three vulnerabilities that researchers found in the UEFI firmware used to boot up a host of its laptop models, including the Yoga, ThinkBook, and IdeaPad lines. The company assigned a medium severity rating to the vulnerabilities, which are tracked CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892 and affect the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe drivers, respectively.

“The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features,” security firm ESET said. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.”

Read 3 remaining paragraphs | Comments