Lenovo Notebook BIOS Vulnerabilities
Incident Report for CyFlare
Monitoring
Emerging Threat Advisory

Posted Date: 07/12/2022

Published Date: 07/13/2022

Source: Known reputed Security Agencies/Reports/Articles

Sector: All – including Government agencies

Reported by: ARS Technica Blog post and Lenovo Support
CVE: CVE-2022-1890, CVE-2022-1891 and CVE-2022-1892

DATE(S) ISSUED: 07/13/2022

SUBJECT: Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models

OVERVIEW:

The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.
THREAT INTELLIGENCE: Per recent updates on Lenovo, the vulnerability is actively being exploited in attacks – targets are unknown now.

SYSTEMS AFFECTED:
• Laptop model lines are:
• Yoga
• ThinkBook
• IdeaPad
• ThinkPad

RISK:
Government and their entities: High Impact
Businesses and their entities: High Impact

TECHNICAL SUMMARY:

Lenovo has assigned a medium severity rating to the vulnerabilities, which are tracked CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892 and affect the ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe drivers, respectively.
CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
RECOMMENDATIONS:

1. Search for your product by name or machine type.
2. Click Drivers & Software on the left menu panel.
3. Click on Manual Update to browse by Component type.
4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

REFERENCES:
https://arstechnica.com/information-technology/2022/07/vulnerabilities-allowing-permanent-infections-affect-70-lenovo-laptop-models/
https://support.lenovo.com/sk/en/product_security/len-91369
Posted Jul 20, 2022 - 16:25 EDT
This incident affects: Breach Detection Service.